Jump to content

[PAYLOAD] KeyHopper

C1PH3R

By C1PH3R
in Payloads

Recommended Posts

GermanNoob Newbie

GermanNoob

Posted
Posted

Hi @C1PH3R,

I had a look at your payload and as you asked for, here are some minor remarks / suggestions:

  • Line 29-31
    Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance...
  • line 32-35
    Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted?
  • Line 43-46
    Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37
  • Line 52 & 55
    Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. 

Best regards!

Link to comment
Share on other sites
C1PH3R Newbie

C1PH3R

Posted
  • Author
Posted
On 2/12/2018 at 8:46 AM, GermanNoob said:

Hi @C1PH3R,

I had a look at your payload and as you asked for, here are some minor remarks / suggestions:

  • Line 29-31
    Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance...
  • line 32-35
    Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted?
  • Line 43-46
    Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37
  • Line 52 & 55
    Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. 

Best regards!

* Line 29-31 if you want you can add that yourself but when/if I am pentesting I would rather not have to change the switch position.

* Line 32-35 Yeah that was a previous command that I removed (is edited now)

* Line 43-46 Because I am using a CNTRL v command that prevents me from doing that (CNTRL v pastes the drive letter of the bunny.)

* Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great!

Link to comment
Share on other sites
GermanNoob Newbie

GermanNoob

Posted
Posted
3 hours ago, C1PH3R said:

* Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great!

well, this should work: 

Q STRING 'payloads\'$variable "'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"

Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

 

Link to comment
Share on other sites
GermanNoob Newbie

GermanNoob

Posted
Posted

well, I tested them in a windows vm and this short test payload works fine with both lines: 

LED SETUP
variable=TEST

LED ATTACK
ATTACKMODE HID
WAIT
RUN WIN powershell
sleep 1
Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

LED FINISH

 

Link to comment
Share on other sites
C1PH3R Newbie

C1PH3R

Posted
  • Author
Posted
On 2/13/2018 at 9:17 PM, GermanNoob said:

well, I tested them in a windows vm and this short test payload works fine with both lines: 


LED SETUP
variable=TEST

LED ATTACK
ATTACKMODE HID
WAIT
RUN WIN powershell
sleep 1
Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

LED FINISH

 

Ahh, I see my problem (At least I think)

I used:

variable="TEST"

I've made some edits so it should all be fine now!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...