Needful Things‎ > ‎

Disable the Courtesy Shell from Meterpreter VNCInject

During the last week the team and myself were engaged in producing a demo for MGMT individuals to show how a innocent looking email with a clickable link could lead to a full system compromise. We started with BEeF and then quickly introduced the latest IE8 Dept. of Labor 0day onto an evil page hosted by our simulated attacker. 

After compromise we decided to introduce some post exploitation modules to include microphone recorder, keylogger, credential harvesting, and of course VNC.

Everything was going great and the courtesy shells were flying, however the ultimate goal is stealthy attacks without alerting the end user that something is in a disarray...

The question had arisen, how to be stealthy and our research lead us to using the "show advanced" options in metasploit and found "DisableCourtesyShell" as an option however, issuing this was not working as expected.

I decided to further research this within the source for:
    
    modules/payloads/stages/windows/vncinject.rb

A 'require' mentioned another file which contained options for the VNCInject payload which we were using.

Upon inspection of the file:
    
    lib/msf/base/sessions/vncinject_options.rb 

I noticed there was a bit of code which was simple enough to modify from false to true ;)



                                OptBool.new('DisableCourtesyShell',
                                        [
                                                true,
                                                "Disables the Metasploit Courtesy shell",
                                                true
                                        ]),
  


Saving this file after editing as:

    lib/msf/base/sessions/vncinject_silent_options.rb 

It is time to edit the module source to now call the newly modified silent_options file:

        modules/payloads/stages/windows/vncinject_silent.rb

Reloading MSF we now have a new optional VNCInject module which is "silent"

Hope you enjoy!




Comments