iSMET: The Ultimate Tool for Meterpreter Encryption in Penetration Testing

Introduction to iSMET

In the realm of penetration testing, we often find ourselves in need of specialized tools. Among these, tools for “Malware Development” or “Bypassing Anti-Malware Products” are indispensable. Cybersecurity is one of the fastest-growing sectors, constantly evolving and branching into various sub-specialties. With this evolution comes the development of protective measures against different attack vectors. One of the most significant advancements is the integration of Microsoft Defender into Windows 10 and Server 2016 operating systems, and its inclusion in all subsequent versions.

The Need for Advanced Tools

The integration of Microsoft Defender is a game-changer because it means Microsoft has entered the anti-malware sector, embedding its solution directly into the operating system. Microsoft Defender is capable of detecting all payloads within Metasploit. Additionally, the encryption modules used within Metasploit for payload encryption are also recognized by Defender. For instance, if we manage to infiltrate a few systems using various methods and attempt to use Psexec to pivot to other systems using credentials obtained via Mimikatz, all our payloads will be detected by Microsoft Defender, rendering our efforts futile.

Due to these and many other reasons, we decided to develop tools that can be used in penetration testing and Red Teaming tests. One such tool is iSMET, which we developed a while ago and continue to use in our tests. We have decided to release this highly successful Red Teaming tool as open-source soon.

What is iSMET?

iSMET is a tool that can use both “asymmetric” and “symmetric” encryption techniques. It can generate meterpreter agents for various applications, payloads, and encryption types as shown in the table below:

• 12 different types of meterpreter payloads
• 8 different encryption techniques
• 2 different application types

iSMET provides encryption support for the most commonly used meterpreter agents. Before delving into the details of the encryption modules, let’s look at the modules used by iSMET:

Modules Used by iSMET

• iSMET: The user interface (UI) that transfers user input to other modules.
• iSMET.CSharp.Collection: A library of frequently used functions for strings, bytes, arrays, etc.
• iSMET.Encryption: A library containing encryption algorithms.
• iSMET.Packer: A library for memory management and advanced obfuscation functions.
• iSMET.ShellCode: A library containing shellcodes for meterpreter agents.

How iSMET Works

iSMET requires four main modules to function. The “iSMET” module is the UI that transfers user input to other modules. The “iSMET.Csharp.Collection” library is used for various operations such as generating random passwords for symmetric encryption, converting byte arrays to strings, or creating random file names. The “iSMET.Encryption” library supports encryption algorithms like DES, TripleDES, RC2, Rinjdael, RSA, AES-CBC, and Blowfish. The “iSMET.ShellCode” library is a dynamic library containing shellcodes for meterpreter and shell (cmd) payloads. This library allows us to dynamically change the IP and port information of the malware we want to create and generate a meterpreter or shell agent through the compiler library.

User Interface

iSMET features a simple interface based on the “Modern UI” Windows Presentation Foundation project. The IP address field represents the IP address for the reverse connection, and the port field represents the port number for the reverse connection. The “Type” field specifies the type of application in which the malware should be created. If “Console Application” is selected, a payload that runs within a classic console application will be created. If “Windows Form Application” is selected, a payload that runs within a Windows Form Application will be created. Each technique has its own advantages and disadvantages. For example, if a payload is created as a Console Application and run on the target, it will run in a classic cmd.exe window. If a Form Application is selected, the payload will run from an application that hides itself in the background. The likelihood of being detected by anti-malware products will differ for each application type.

ShellCode Library

The MeterpreterShellCode class within the iSMET.ShellCode library contains the main functions needed to create meterpreter and shell agents. This library stores many meterpreter and shell agents in both x86 and x64 formats, such as ReverseTcp, ReverseTcpRc4, and BindTcp. Each variable in the class is triggered by a string-type IP and a string-type port information. The IP and port information sent to each meterpreter and shell agent is dynamically changed within the shellcode, and the shellcode is recreated as a byte array and sent to the compiler.

Encryption Techniques

Shellcodes created using Non-Encryption, Base64, Rinjdael/AES, DES, 3DES, and RSA algorithms are embedded into an executable application (exe) created dynamically by iSMET and sent to the target. Shellcodes created using RC2, AES-CBC, and Blowfish algorithms are written to a file named “Stub.bin”. Separating the shellcode from the application and writing it to a different file in an encrypted form is a highly effective method for bypassing anti-malware products.

BuildCode Class

The BuildCode class within the iSMET.Csharp.Collection library consists of three separate classes: Console, Form, and Powershell. These classes contain the code needed to dynamically create C#-based executables that will run the meterpreter malware.

For more information, you can visit the Privia Security website.