PoSHMagiC0de

You can do this with a wifi pineapple or even your own machine with help from some MiTM products like bettercap or MiTMf. I think js-inject is the way you go. The hard part will be encrypted traffic which I do not know if possible and if so then how unless you have a cert that can sign valid certs in which the traffic will be unencrypted and you can inject into it. SSLStrip may work for those not in Googles HSTS list. Why js-inject? Because you want it to be dynamic based off of what site they are on judging by your post. The js will need to read the page you are on (browser DOM) and do something with it. Note: Not saying you will but I normally get hammered with private messages when I usually post something like this asking for particulars and stuff. Please do not. It will take me forever to respond. Post it here so others have a chance to respond and give input. Also, my first inclination when someone privates me after a post is they are up to no good which I do stall to determine ethics of the message.

All Crypto. Old, new. Want to talk RoT13 (don't know why) then yelp. Want to discuss your own custom with shifting and xor'ing...yelp. Anything crypto as long as it is not directly malicious in the ways of cryptolockers or cracks for commercial software. On the cryptolocker side, if it is a discussion on how they work and they keying methods or discuss how an existing works (to understand it, not use it) then that is cool as it is not a discussion in hopes to build redeployments. Very straight forward rules, talk about all things crypto as long as it is not a discussion on how to be an asshole with it. :-)

I was in hexchat and it showed them on a old cert. Told it to ignore it for now and got in. Yeah, not secure to ignore certs but it is hak5 irc and nothing covert was going to be discussed at the time. Doh, now it is fixed hehe.

You been watching LiveOverflow videos too huh? :-) Yeah, I have not done those but have seen videos on them existing. The section would definitely pertain to keygen making....if legit. I do not want any illegal stuff like keygens for real apps popping up but reviewing the concept and techniques through the crackmes I do see as beneficial.

Yeah, Darkscience "LetsCrypt" cert expired on the 18th. They need to run their script to update their cert hehe.

I agree. And powerdump works for getting SAM hashes. Token manipulation works for getting tokens. Mimikatz still good for golden tickets though. But yeah, there are other methods to use mimi to get creds.

Aren't the CrackMe more binary exploit than crypto? But if it is solving a crypto challenge then yelp.

Well, would be good with the ducky too if you build a nice reverse connection for this to get you access to it from behind a firewall and build a shell management framework in it. Deploy it on victim network someplace hidden with network access. Use a ducky and/or Bunny to deploy the shell agent to victims at site with some persistence and there you go. On a side notice I did wish that usb could double as a network gadget and then you could probably make this thing an active tap for wireshark when you want one too. :-P

I like LiveOverflow's videos too. His videos are the ones to watch if you want to get into the binary side of things.

hey Folks, I hope all will read this. There has been interest in post about cryptology. In general, people asking about how to use crypto tools, do crypto, break crypto, leverage crypto, etc. Briefly there were people asking about crypto in payloads (not subject that I would like discussed here if not pertaining to using crypto for obfuscation.). In private chat there has been interest in it towards me and even someone from Hak5 mod group mentioning they would be interested in something and would not be against the idea of beginning a forum section for it. Why do we need a separate section? Well, look at crypto. For all crypto questions, can you pick 1 forum it would fit in? I do not. If I want to post about crypto programmically then the app and coding section would suffice. What if I wanted to know about GPG, maybe General questions, applications, Security all three would work. What about writing code that uses GNUPGP for stuff and you the person needs function GPG can do and how to interact via code? You tell me where that would go. What will be discussed. Everything crypto. Help identify a hash for someone, post your own "roll your own crypto" algorithm, answer questions on how to do AES or RSA crypto. Anything crypto from crypto app usages to doing your own can be discussed. It will give the crypto guys a place to look if they feel like discussing or answering questions about the topic too. Last, all other boards also see a need to separate out this topic because it covers multiple areas that anyone wanting to talk about crypto will be hopping all over the forums for a good place to post. What we should not discuss. I say any question leading to direct illegal goals. That means no questions on how to write crypto lockers or such. I know that code people may post may be able to be combined with others code to eventually create a crypto locker but some people already know that once you get down how to do crypto in a language, it is trivial to convert it to something bad. That cannot be stopped but hopefully we will no entice by directly assisting in it. What does everyone think? Maybe I should have made this a poll. One can be created if folks actually read and respond to this one hehe.

How are the files being upload? Is it a quack command, bat file, vbs or Powershell? If there are no subfolders and they all end up in the root the the %tmp% folder then in Powershell the command to check is first create an array of the files that should be there. $myfiles = @("file1.exe", "file2.exe", "file3.txt") # Then loop through checking them with test-path, in Powershell $env:tmp is the same as %tmp%. foreach ($file in $myfiles) { if(Test-Path "$env:tmp\$file") { # Do something if file exists. Write-Host ("File {0} exists." -f @($file)) } else { # Do something if file is missing. Write-Host ("File {0} is not present" -f @($file)) } } If you use Powershell to do the copying then you can copy each file and and have a condition when it fails to copy a file that way you can check while copying. $myfiles = @("file1.exe", "file2.exe", "file3.txt") foreach ($file in $files) { Copy-Item -Path "$rootpathtofiles\$file" -Destination "$env:tmp\$file" -ErrorAction "SilentlyContinue" -ErrorVariable myerror if($myerror) { # Do something about that file not being copied. Write-Host ("File {0} did not copy." -f @($file)) } #Else is optional for files that copied, if you just want to continue on then leave out else. else { # Do something when file is successfully copied. Write-Host ("File {0} copied successfully" -f @($file)) } }

Hey @kereltjee Specify what you are trying to do and how so your steps can be retraced and see if their is a madness to your method. Welcome to the forums and hope you find the help you need.

I prefer not to use vbs myself too. Only looked into it because I seen a lot of payloads folks been writing using vbs. Figured might as well see if vbs could be fileless too.

Nope. Normal user can do it. In essence, it can be a file-less VBS. I think I am going to go through the payloads and find the ones that do vbs and redo them to use this method if possible as a POC. If possible what can be done? Welp, for Office macros I obfuscate all the methods and procedures in the macro to fire off my Powershell script. Same can be done with these scripts so they can be stored obfuscated. You can deobfuscate in memory and execute them. Here is an example, if you run Windows 10 or 7. On your desktop create a file called "vbtest.txt". Inside it up the following code. Msgbox "I ran from vbtest, first line." Msgbox "Just to prove I am multiline, here is the second." Msgbox "Don't believe me? Here is a third." Now, launch a command prompt window and navigate to your desktop. Makes the commandline shorter since you can reference the file from your location. Now, in the command prompt put in the following code. mshta vbscript:Execute("Set fso=CreateObject(""Scripting.FileSystemObject""):Set osc=fso.OpenTextFile(""vbtest.txt"", 1):sc=osc.ReadAll:osc.Close:Execute(sc):window.close") This should read that vbtest.txt file in and execute it giving you 3 message boxes 1 after the other showing it is running the whole script multiline, closing the mshta window that opens afterwards. Imagine instead of reading that file from the local drive but from say SMB or download it from the net to a variable the execute.

mshta is in windows already like powershell.exe. No adding an executable. So, for those who like vbscript ( I go powershell myself), you can use the inline portion to initiate a download cradle, like with powershell, to download vbscript and run it. It is just an alternative. Nothing new to download, all part of windows still. I have not looked up what this app is but if I would guess, it has something to do with handling HTA files.

Look at the link below. It was in the changelogs for version 1.2. https://storage.googleapis.com/bashbunny_updates/ch_fw_1.3-changelog.txt

The udisk partition may have become corrupt. Backup any files and folders you see are readable to your local machine. Now follow procedures to ssh into the bunny and use the udisk format to reformat the partition. When done, you should be able to copy back your stuff and interact again. To help prevent this, whenever you are in usb mode be it a payload or arming, you should safely eject the bunny to ensure everything is synced before physically removing.

So, first, check this out. There is a version of mimikatz that works for Windows 10 Creator Update but no success getting it injectable for powershell like the old. The info is here. Now....for the topic. So, I seen lots of payloads with physical vbs files. I have a tendency that when I see something using physical file writing, I try to find a way to prevent that....and I did though I leave the rest of the work to you. The secret, if it is not blocked, is mshta.exe. This bad boy can run in line vbs scripts from the command line, no file needed to reference. Differences are so. Below is a simple 2 step command. It will pop open a message box and once you hit "OK", it will open a second one to show the vbscript window is not popping up. After you close that one it will run the Window.close command closing the vbscript window that you will see briefly. You will notice I have a window.close method at the very end. If this is not present, when the box closes you are left with a big empty WScript window that you have to manually close. The last command closes that window. So, stealthiness of this method is not completely silent. The window will not pop up until the end of the script. if you remove the window.close command you will see what I am talking about. So, the command line for this is. mshta vbscript:Execute("Msgbox ""Hello World1"":Msgbox ""Hello World2"":window.close") So you can use your imagination and see how you can make your vbscript perform like powershell inline. Difference is how you pull the extra payloads but to execute them you just use the Execute command on them to run a string elements as vbs commands. Similar to what I did inline above.

So, many of you in the Bashbunny and Rubber Ducky forums are noticing mimikatz/mimidogz in Powersploit has issues with Win10 after the creators update. It can dump hashes from the sam but it could not get the cleartext passwords like it used to do or currently do on Windows 7. Well, Gentilkiwi decided to get to work and has a new version of mimikatz that will get the cleartext passwords from Windows 7 Creators Update. You can find it below. https://github.com/gentilkiwi/mimikatz Now, what about Invoke-Mimikatz in Powersploit or Mimidogz. Well, a few of us has been trying to get it to work in the module by substituting the base64 encoded binaries of the old mimikatz with the new base64 encoded binaries. It does work but will not receive the parameters. The command line parameters for dumpcreds has changed and has to have the mimi command "privilege::debug" ran first before the usually 2 other commands afterwards "sekurlsa::logonpasswords exit". What I get is the mimi interactive shell which is fine for live stuff but if trying to automate then this is a stopper. Also, it seems to crash out the Powershell process it is in when you exit out of it. If you use the direct executable, Windows defender will see it and stop/kill/remove it. Avast will definitely kill it, I use Avast as the most difficult of scanners to obfuscate from. If I beat Avast at full settings, good chance all the others will be the same. So, if others want to try and help figure it out. Check out the issues thread for it that started on Powersploit's repo.

So, I agree with all the above, especially @reubadoob. One thing you really need is the drive to learn more, research, find. One big part of pentesting is recon. Recon involves lots of research. With that said, the more you know about the system you are exploiting, the more easier and probable you will find an exploit if one exists. This goes with what @digip quotes about. If you are exploiting a Windows system then the more you know how to admin it, the more easier you can find the faults. Windows Server is the same and of course knowing all the components like DHCP, DNS, AD, SMB, you see where I am going with this. I have to say, knowing how to code helps a bunch. It gives you a deeper understanding of the lower level exploits, how they work, tweak them if you have to because of something different in one system to the next. You can also learn from the code in other people's tools. A lot of my learning comes from that. Finding exploits in compiles code involves having assembly and debug skills. Pretty much the more you learn, the better you are. I don't mean just learn how to use the exploit tools, learn why they work.

You can trim off a bunch of characters from the run line by putting the cleanup line at the beginning, end or where ever you want in the ncat script to do the cleanup. Only thing you should need in the stager is the code needed to get the rest of the code so your cleanup can be in the rest of the code that netcat has. Do not know what the character count will be afterwards. Yeah, since he is using net.sockets, the stager will be bigger than the http stagers because he has to handle the data gathering manually through a stream and then running it. There is code to make a script hide itself from within the script itself but will pad more code to either the stager script or the script itself, where ever you want the hide code to run. It involves some c# assembly to expose a function from a native. The code could actually be used to hide any running process window that you have access to, or minimize, maximize and stuff. It interacts with the window handler for that process. Easy to find in a Google search too. Been asked a lot online.

source /root/udisk/payloads/library/test/payload.txt Everything starts at /root. /root/udisk is the root of the partition you see when you plug in the BB in arming mode and browse to it like a storage device.

Yes. If it is on the Bunny and you know the path you can source other files. Like in my project, it sources about 3 to 4 files to configure itself and run. But yes you can source outside the switch folder and payload folder. You can even source something on the Bunny's root partiton if you put something there. So yes. The tools are ran from the root partition like smbserver.py for the smbserver. Even python is on the root and you are able to run that.

Are you talking about the tools folder on the USB partition in arming mode or the tools folder in the linux partition when you ssh in? The tools folder in the USB partition you see in arming mode will always be empty. If you put a tool package in there to be installed and restarted in arming mode, it will install it to the linux /tools folder and delete the package from the tools folder on the arming mode USB partition. If you want to see if they are installed, you can create a new payload with ATTACKMODE RNDIS_ETHERNET and shh into the bunny to see if off the root the tools folder has your tools installed.

So, I notice a lot of folks cramming pentest frameworks into their bunny to access its library of payloads. Even I gave a passing thought in the past to install Empire on the bunny but it faded fast. Metasploit has a lot of nice local and remote exploits that I do see what entices people to want to throw it on the Bunny. The downside is it is heavy. Even on a normal machine firing it up gets an extensive load while it is loading modules. Even if you use a rc file. I can imagine the time it takes to come up on the bunny. This extends the amount of time you need connected to the machine by a lot. So, here is an idea. Has anyone thought of taking out of Metasploit what they need and using just that. Really, the exploits you need will run shellcode you feed to it, or Powershell code if it is a Powershell based module. You just need the exploit and your code you want it to run. If you stage it then you need way to get the stages. This way you only use what you need, reducing the spinup time and even the exploit time. Pretty much you can trim the fat and make it more portable and less resource extensive. Just an idea. Only time I see you needing the full framework is if you can and are going to be interacting with it where you then can make use of the variety of modules more dynamically with the target.