An older post of mine – MicroSploit dealt with generating backdoored documents for the Office platform. This post is about another open source framework, called WinPayloads which helps you create custom malicious payloads for the Microsoft Windows operating system.
What is WinPayloads?
WinPayloads is an open source Microsoft Windows payload generator in Python that utilizes the Metasploit framework to generate AES encrypted payloads. These payloads are compiled using PyInstaller and the generate shellcode payload is executed using ctypes. You not only can use the Metasploit Meterpreter to generate payloads, set up a web server using the SimpleHTTPServer, bypass User Account Control (UAC) and use PsExec to execute processes on other systems..
Functions of WinPayloads:
- UACBypass – Implements Invoke-BypassUAC.ps1 from PowerShellEmpire to bypass UAC. This module works on Local Administrator accounts only.
- PowerUp – Implements PowerUp.ps1 again from PowerShellEmpire to escalate privileges via PowerUp AllChecks.
- Invoke-Shellcode – Implements Invoke-Shellcode.ps1 from PowerSploit to inject shellcode.
- Invoke-Mimikatz – Implements Invoke-Mimikatz.ps1 from PowerSploit to reflectively load Mimikatz completely in memory.
- Invoke-EventVwrBypass – Implements Invoke-EventVwrBypass.ps1 by @enigma0x3.
- Persistence – Adds payload persistence on reboot via registry keys and the startup folder.
- PsExec Spray – Spray hashes until successful connection and PsExec payload on target.
- Upload to local web server using SimpleHTTPServer.
- PowerShell stager – allows invoking payloads in memory & more.
Payloads supported by WinPayloads:
- Windows Reverse Shell: This payload will give the attacker a stageless reverse TCP shell. A listener will be automatically started using NetCat.
- Windows Reverse Meterpreter: This payload will give the attacker a staged reverse TCP meterpreter shell. A listener will be automatically started using Metasploit.
- Windows Bind Meterpreter: This payload will give the attacker a staged bind TCP meterpreter shell. Connection to the bind port will be automatically started using Metasploit.
- Windows Reverse Meterpreter HTTPS: This payload will give the attacker a staged reverse HTTPS meterpreter shell. A listener will be automatically started using Metasploit.
- Windows Reverse Meterpreter DNS: This payload will give the attacker a staged reverse TCP meterpreter shell with DNS name resolution. Good for dynamic IP addresses and persistence payloads. A listener will be automatically started using Metasploit.
As discussed earlier, you can also locally host the payload on a HTTP server and spray hashes to find a vulnerable target using PsExec.
WinPayloads depends on a few Python packages such as Blessed and PyASN1 in addition to Wine and Impacket. Installation is taken care by the installation script. You can start by checking out the WinPayloads GIT repository here.