Jump to content

[PAYLOAD] Proxy Interceptor


Recommended Posts

Hello all, being a proxy engineer when I got the Bash Bunny the first thing I thought of was how can I force people who are (excuse my assumptions here :lol:) lazy to lock their machines when they walk away and leave them vulnerable. As a pentester an unlocked and unattended machine is a gold mine but you sometimes only have those few precious seconds to gather the data you need. If you could set a proxy and more important a SSL proxy by inserting your certificate as well you could gather all the intel you need even after the initial attack.

Enter Proxy Interceptor (Geeky name I know), this payload will enable the proxy settings and import the proxy certificate to the certificate store allowing you to man-in-the-middle the users web traffic including gathering credentials for later escalation use in the pentest. The payload is simple using PowerShell and Ducky Script and the end of the payload will even eject the bash bunny so you can just unplug and walk away.

The script is 1.0 so there is more I want to do with it later including adding support for Firefox, running confirmation tests, dropping a script for persistence, and more. As of know this only affects IE and Chrome. Also there is no failure detection as of yet in the PowerShell scripts you just will not get the purple LED to confirm it is completed. I would love to hear your thoughts.

https://github.com/ajmatson/bashbunny-payloads/tree/master/payloads/library/Proxy_Interceptor

  • Upvote 6
Link to post
Share on other sites

Thank you for the kind words. I am adjusting the timings on the script as I go to find the sweet spots. One of the laptops I tested this on had a big time gap and caused the beginning of the script to be cut off on two of my trial passes so I kept a big delay in the beginning to ensure the machine was fully ready and the bunny was up and running.

Link to post
Share on other sites
  • 3 weeks later...

Hey man, I have a complete version of this script turned into an Powershell Empire payload.  Will work with burp ASN1 certs.  Will share.  If you want to see the source I can get it to you...somehow.  Could improve your script.  The script itself will need the cert as it handles the adding of it too.

Warning about certs.  You have to UAC bypass to add to cert authority else it will alert user you are wanting to add cert.  Might not be bad for local attack.

I plan on it being used in my second iteration of the BBTPS I am working on since the second version will be able to deliver encoded files to the agent.  See BBTPS for more info in this payload section.  Anyway, if you want the script to inspect and dabble with, I can put it on git.  I been lazy and have not added my docs and stuff to it and the python module to push it to Empire repo yet so eh.

Link to post
Share on other sites
  • 5 months later...

Hi,

on my windows 10 it doesn't work. If i try to run the single commands i get this:

 PS E:\payloads\switch1> $certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\Root
Import-Certificate : Cannot find the requested object. (Exception from HRESULT: 0x80092009)
At line:1 char:13
+ $certFile | Import-Certificate -CertStoreLocation cert:\CurrentUser\R ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Certificate], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.CertificateServices.Commands.Impor
   tCertificateCommand

 

Any suggestion?

Link to post
Share on other sites
  • 3 months later...

One question tho, why are you not using stage lights instead of white blinking lights? stage lights are nice because it is standardized so everyone will know what it means. Also why ejecting with powershell when you can do it with a simple ATTACKMODE OFF ??

Edited by C1PH3R
Link to post
Share on other sites
  • 3 weeks later...

Hi @C1PH3R,

I haven't heard about ATTACKMODE OFF yet. Where is it documented?

But I can't believe that this is similar to a powershell cmd on the victim computer. I assume it just turns of the ATTACKMODE which would be similar to just unplug the BB, wouldn't it?

According to the stage lights: As this thread is quite old,  assume that the "new" standardized light codes weren't available. If I remember right, in the beginning everybody defined their own color codes.

Link to post
Share on other sites
18 hours ago, GermanNoob said:

Hi @C1PH3R,

I haven't heard about ATTACKMODE OFF yet. Where is it documented?

But I can't believe that this is similar to a powershell cmd on the victim computer. I assume it just turns of the ATTACKMODE which would be similar to just unplug the BB, wouldn't it?

According to the stage lights: As this thread is quite old,  assume that the "new" standardized light codes weren't available. If I remember right, in the beginning everybody defined their own color codes.

https://github.com/hak5/bashbunny-wiki/blob/master/payload_development.md

Under Attackmode. I understand the leds now. 

Link to post
Share on other sites

Man, I have been busy these past few months here at work.

 

Anyway, I looked more at this payload .  I think I am going to touch this one and post here an alternative to make this a little less "quacky".

 

The issue is see is with the "Import-Certificate" commandlet.  This does not exist on machines that do not have the PKI module installed.  This will be most Windows 7 machines.

An alternative is to tap into .NET.  Doing so adds a little complication though like if you are going to use PEM files, you have to clean them, un-base64 it into raw bytes and then import it into an x509Certificate2 object (or if it is in pk12 or asn1/crt format you can just import the file).  From there you can import it into the store using the store class (after you set the store to the readwrite of course).  Doing so should make it work synonymous between Windows 10 and Windows 7.  If I post something I will include the method to do that also.  if you wish the cert to stay a pem, I can optimize the function to clean and handle PEMs.  Right now the script I have that does something similar in Empire is set to handle BURP asn1 certs.

Link to post
Share on other sites

So, i got your script looking pretty and fast but have one hangup I am stuck on.  How are you clicking "yes" on the approval to add the cert?  It comes up not in focus and swapping windows via alt command doesn't have the ability to select that windows, only mouse click can put the window in focus.

In the version I have for Empire it requires admin rights so you do not get the warning prompt.  Right now, it requires you manually clicking yes in the Window since I cannot get focus through hid.  If you would like to see I will do a PR on your repo.

There are only 2 scripts now and a stager command.  The command is encoded using the technique by elkintaro's RUNPOWER extension to create an encoded command.  I had issues with the plain text command.  Encoding it resolved it.

The first script that is pulled is the handler to condition the PEM file and paths before loading and running the actual Invoke-ProxyHijack to implement the commands.  It will try the cert first and if fails then it will not change the proxy.  If it succeeds then it does the registry change for server.

When ran, it runs really fast and the prompt for accepting the cert comes within 1sec.  If I could get focus then there could be a delay of 2-5 seconds before saying yes and then it will be pretty much done so this could be a 5-10sec payload.  If you make this an admin required payload, it could be done in 2-5secs.

 

I developed and tested on a Windows 7 (fully updated) system.  Powershell 2.0+ compatible.

Link to post
Share on other sites
  • 2 weeks later...

Whoot.  I perfected this payload, well almost.  I am switching it back to file mode for the cert since you are pulling from USB.  Less work and easier to deal with. I am too used to dealing with agents and agent servers that I over-complicated the pull of the cert.  Going to simplify it from handling raw, in memory, data to handling the cert files.  I also ran into an issue with PS2.0 compatibility but I know what to do to fix that really fast from a test I did here in the office.

I can finish this off and have a fully working improved version of this payload either tonight or tomorrow.  I have been working on the BBTPS after I got hung up with the security warning that cannot be select by hid commands but because I was being dense I saw it wasn't a UAC prompt meaning I still had control of the screen though the script does stop.  No problem.  I just added a job to fire off before adding the cert that waits a second or 2 so when I add the cert and the security warning pops up, the job selects the window via code and does an alt-y sendkey which worked.  So, only 1 quack command and 2-3 seconds to run.  Whoot.  Could make it more stealthy by muting sound before adding cert so there is no warning sound and then unmute when done but that can be later.  Where do you want this thing since it is really yours, I am just improving it?  :-P

Or, I will just be forkin ya.

  • Like 1
Link to post
Share on other sites

 

8 hours ago, PoSHMagiC0de said:

Whoot.  I perfected this payload, well almost.  I am switching it back to file mode for the cert since you are pulling from USB.  Less work and easier to deal with. I am too used to dealing with agents and agent servers that I over-complicated the pull of the cert.  Going to simplify it from handling raw, in memory, data to handling the cert files.  I also ran into an issue with PS2.0 compatibility but I know what to do to fix that really fast from a test I did here in the office.

I can finish this off and have a fully working improved version of this payload either tonight or tomorrow.  I have been working on the BBTPS after I got hung up with the security warning that cannot be select by hid commands but because I was being dense I saw it wasn't a UAC prompt meaning I still had control of the screen though the script does stop.  No problem.  I just added a job to fire off before adding the cert that waits a second or 2 so when I add the cert and the security warning pops up, the job selects the window via code and does an alt-y sendkey which worked.  So, only 1 quack command and 2-3 seconds to run.  Whoot.  Could make it more stealthy by muting sound before adding cert so there is no warning sound and then unmute when done but that can be later.  Where do you want this thing since it is really yours, I am just improving it?  :-P

Or, I will just be forkin ya.

I recently added a payload that mutes a pc ;) Feel free to auto-add it to your fork. Only issue is the delays. it has big delays that could easily be reduced

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...