Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won



About PoSHMagiC0de

  • Rank
    Hak5 Zombie

Contact Methods

  • Website URL

Profile Information

  1. WPA2 - Broken

    I like LiveOverflow's videos too. His videos are the ones to watch if you want to get into the binary side of things.
  2. Forums Section for Cryptology?

    hey Folks, I hope all will read this. There has been interest in post about cryptology. In general, people asking about how to use crypto tools, do crypto, break crypto, leverage crypto, etc. Briefly there were people asking about crypto in payloads (not subject that I would like discussed here if not pertaining to using crypto for obfuscation.). In private chat there has been interest in it towards me and even someone from Hak5 mod group mentioning they would be interested in something and would not be against the idea of beginning a forum section for it. Why do we need a separate section? Well, look at crypto. For all crypto questions, can you pick 1 forum it would fit in? I do not. If I want to post about crypto programmically then the app and coding section would suffice. What if I wanted to know about GPG, maybe General questions, applications, Security all three would work. What about writing code that uses GNUPGP for stuff and you the person needs function GPG can do and how to interact via code? You tell me where that would go. What will be discussed. Everything crypto. Help identify a hash for someone, post your own "roll your own crypto" algorithm, answer questions on how to do AES or RSA crypto. Anything crypto from crypto app usages to doing your own can be discussed. It will give the crypto guys a place to look if they feel like discussing or answering questions about the topic too. Last, all other boards also see a need to separate out this topic because it covers multiple areas that anyone wanting to talk about crypto will be hopping all over the forums for a good place to post. What we should not discuss. I say any question leading to direct illegal goals. That means no questions on how to write crypto lockers or such. I know that code people may post may be able to be combined with others code to eventually create a crypto locker but some people already know that once you get down how to do crypto in a language, it is trivial to convert it to something bad. That cannot be stopped but hopefully we will no entice by directly assisting in it. What does everyone think? Maybe I should have made this a poll. One can be created if folks actually read and respond to this one hehe.
  3. script to check if file is on the computer

    How are the files being upload? Is it a quack command, bat file, vbs or Powershell? If there are no subfolders and they all end up in the root the the %tmp% folder then in Powershell the command to check is first create an array of the files that should be there. $myfiles = @("file1.exe", "file2.exe", "file3.txt") # Then loop through checking them with test-path, in Powershell $env:tmp is the same as %tmp%. foreach ($file in $myfiles) { if(Test-Path "$env:tmp\$file") { # Do something if file exists. Write-Host ("File {0} exists." -f @($file)) } else { # Do something if file is missing. Write-Host ("File {0} is not present" -f @($file)) } } If you use Powershell to do the copying then you can copy each file and and have a condition when it fails to copy a file that way you can check while copying. $myfiles = @("file1.exe", "file2.exe", "file3.txt") foreach ($file in $files) { Copy-Item -Path "$rootpathtofiles\$file" -Destination "$env:tmp\$file" -ErrorAction "SilentlyContinue" -ErrorVariable myerror if($myerror) { # Do something about that file not being copied. Write-Host ("File {0} did not copy." -f @($file)) } #Else is optional for files that copied, if you just want to continue on then leave out else. else { # Do something when file is successfully copied. Write-Host ("File {0} copied successfully" -f @($file)) } }
  4. help wanted

    Hey @kereltjee Specify what you are trying to do and how so your steps can be retraced and see if their is a madness to your method. Welcome to the forums and hope you find the help you need.
  5. Inline VBS scripting

    I prefer not to use vbs myself too. Only looked into it because I seen a lot of payloads folks been writing using vbs. Figured might as well see if vbs could be fileless too.
  6. Inline VBS scripting

    Nope. Normal user can do it. In essence, it can be a file-less VBS. I think I am going to go through the payloads and find the ones that do vbs and redo them to use this method if possible as a POC. If possible what can be done? Welp, for Office macros I obfuscate all the methods and procedures in the macro to fire off my Powershell script. Same can be done with these scripts so they can be stored obfuscated. You can deobfuscate in memory and execute them. Here is an example, if you run Windows 10 or 7. On your desktop create a file called "vbtest.txt". Inside it up the following code. Msgbox "I ran from vbtest, first line." Msgbox "Just to prove I am multiline, here is the second." Msgbox "Don't believe me? Here is a third." Now, launch a command prompt window and navigate to your desktop. Makes the commandline shorter since you can reference the file from your location. Now, in the command prompt put in the following code. mshta vbscript:Execute("Set fso=CreateObject(""Scripting.FileSystemObject""):Set osc=fso.OpenTextFile(""vbtest.txt"", 1):sc=osc.ReadAll:osc.Close:Execute(sc):window.close") This should read that vbtest.txt file in and execute it giving you 3 message boxes 1 after the other showing it is running the whole script multiline, closing the mshta window that opens afterwards. Imagine instead of reading that file from the local drive but from say SMB or download it from the net to a variable the execute.
  7. [PAYLOAD] PasswordGrabber

    Nope. That is why Darren mention using smb to to upload. At that point, might as well make it all smb delivery and retrieval.
  8. Inline VBS scripting

    mshta is in windows already like powershell.exe. No adding an executable. So, for those who like vbscript ( I go powershell myself), you can use the inline portion to initiate a download cradle, like with powershell, to download vbscript and run it. It is just an alternative. Nothing new to download, all part of windows still. I have not looked up what this app is but if I would guess, it has something to do with handling HTA files.
  9. Unable to delete directories in loot dir

    Look at the link below. It was in the changelogs for version 1.2. https://storage.googleapis.com/bashbunny_updates/ch_fw_1.3-changelog.txt
  10. Unable to delete directories in loot dir

    The udisk partition may have become corrupt. Backup any files and folders you see are readable to your local machine. Now follow procedures to ssh into the bunny and use the udisk format to reformat the partition. When done, you should be able to copy back your stuff and interact again. To help prevent this, whenever you are in usb mode be it a payload or arming, you should safely eject the bunny to ensure everything is synced before physically removing.
  11. Inline VBS scripting

    So, first, check this out. There is a version of mimikatz that works for Windows 10 Creator Update but no success getting it injectable for powershell like the old. The info is here. Now....for the topic. So, I seen lots of payloads with physical vbs files. I have a tendency that when I see something using physical file writing, I try to find a way to prevent that....and I did though I leave the rest of the work to you. The secret, if it is not blocked, is mshta.exe. This bad boy can run in line vbs scripts from the command line, no file needed to reference. Differences are so. Below is a simple 2 step command. It will pop open a message box and once you hit "OK", it will open a second one to show the vbscript window is not popping up. After you close that one it will run the Window.close command closing the vbscript window that you will see briefly. You will notice I have a window.close method at the very end. If this is not present, when the box closes you are left with a big empty WScript window that you have to manually close. The last command closes that window. So, stealthiness of this method is not completely silent. The window will not pop up until the end of the script. if you remove the window.close command you will see what I am talking about. So, the command line for this is. mshta vbscript:Execute("Msgbox ""Hello World1"":Msgbox ""Hello World2"":window.close") So you can use your imagination and see how you can make your vbscript perform like powershell inline. Difference is how you pull the extra payloads but to execute them you just use the Execute command on them to run a string elements as vbs commands. Similar to what I did inline above.
  12. [PAYLOAD] PasswordGrabber

    So, since I saw this payload was on the new Hak5 show, (I always said they should showcase payloads to keep interest sparked and give some kind of incentive to produce cool stuff.) I decided to peek at it. I already have a ton of payloads in my arsenal that does these so when I see a payload that does what I already am doing, it usually takes me some time to get to it to check it out. Anyway, I decided to look into ways to obfuscate this thing and make it more streamline. Well, I ran into a snag. Apparently, this executable is a pyinstaller executable. I haven't tried to handle one of those before so I tried and failed. I could not inject this thing worth a man in the moon. It is classified as not being a true PE. Hmm. I see this happens with .NET apps too before I realize they are .NET and inject differently. I have not checked to see if this thing is actually .NET in some way but if not then if the spirit hits me I may scramble through the source code and do a .NET compatible conversion so on Windows more can be done with it to hide it..like reflections assembly loading. So, an idea some people have thrown at me that will not work... Encrypt the executable on the drive, copy and run it. : Will not work. Although it is safe as an encrypted file, I have to decrypt it eventually and when I do I will have it in memory so how do I run it if i cannot inject it? it is still a pyinstaller executable.- I will still need to write it back to disk in english to run which will fire off AV then. After going through some of the py files in the project last night, the guy did such a clean job you could recreate this project with practically same file structure in .NET. Not going to say it is a piece of cake and will take no time. Just saying almost all the methodology is right there, just have to "port" it. Since you can do it in .NET, you could just script it all in Powershell too though it will be a huge script or a bunch of medium to large interdependent scripts. Another way is to modify the py files and for parts you think are being seen as bad, turn them into obfuscated strings to be executed as py commands. Easiest way to obfuscate is string substitution for commands and code blocks.
  13. So, many of you in the Bashbunny and Rubber Ducky forums are noticing mimikatz/mimidogz in Powersploit has issues with Win10 after the creators update. It can dump hashes from the sam but it could not get the cleartext passwords like it used to do or currently do on Windows 7. Well, Gentilkiwi decided to get to work and has a new version of mimikatz that will get the cleartext passwords from Windows 7 Creators Update. You can find it below. https://github.com/gentilkiwi/mimikatz Now, what about Invoke-Mimikatz in Powersploit or Mimidogz. Well, a few of us has been trying to get it to work in the module by substituting the base64 encoded binaries of the old mimikatz with the new base64 encoded binaries. It does work but will not receive the parameters. The command line parameters for dumpcreds has changed and has to have the mimi command "privilege::debug" ran first before the usually 2 other commands afterwards "sekurlsa::logonpasswords exit". What I get is the mimi interactive shell which is fine for live stuff but if trying to automate then this is a stopper. Also, it seems to crash out the Powershell process it is in when you exit out of it. If you use the direct executable, Windows defender will see it and stop/kill/remove it. Avast will definitely kill it, I use Avast as the most difficult of scanners to obfuscate from. If I beat Avast at full settings, good chance all the others will be the same. So, if others want to try and help figure it out. Check out the issues thread for it that started on Powersploit's repo.
  14. Starting pen testing

    So, I agree with all the above, especially @reubadoob. One thing you really need is the drive to learn more, research, find. One big part of pentesting is recon. Recon involves lots of research. With that said, the more you know about the system you are exploiting, the more easier and probable you will find an exploit if one exists. This goes with what @digip quotes about. If you are exploiting a Windows system then the more you know how to admin it, the more easier you can find the faults. Windows Server is the same and of course knowing all the components like DHCP, DNS, AD, SMB, you see where I am going with this. I have to say, knowing how to code helps a bunch. It gives you a deeper understanding of the lower level exploits, how they work, tweak them if you have to because of something different in one system to the next. You can also learn from the code in other people's tools. A lot of my learning comes from that. Finding exploits in compiles code involves having assembly and debug skills. Pretty much the more you learn, the better you are. I don't mean just learn how to use the exploit tools, learn why they work.
  15. [PAYLOAD] RevShellBack

    You can trim off a bunch of characters from the run line by putting the cleanup line at the beginning, end or where ever you want in the ncat script to do the cleanup. Only thing you should need in the stager is the code needed to get the rest of the code so your cleanup can be in the rest of the code that netcat has. Do not know what the character count will be afterwards. Yeah, since he is using net.sockets, the stager will be bigger than the http stagers because he has to handle the data gathering manually through a stream and then running it. There is code to make a script hide itself from within the script itself but will pad more code to either the stager script or the script itself, where ever you want the hide code to run. It involves some c# assembly to expose a function from a native. The code could actually be used to hide any running process window that you have access to, or minimize, maximize and stuff. It interacts with the window handler for that process. Easy to find in a Google search too. Been asked a lot online.