Jump to content
C1PH3R

[PAYLOAD] KeyHopper

Recommended Posts

Hi @C1PH3R,

I had a look at your payload and as you asked for, here are some minor remarks / suggestions:

  • Line 29-31
    Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance...
  • line 32-35
    Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted?
  • Line 43-46
    Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37
  • Line 52 & 55
    Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. 

Best regards!

Share this post


Link to post
Share on other sites
On 2/12/2018 at 8:46 AM, GermanNoob said:

Hi @C1PH3R,

I had a look at your payload and as you asked for, here are some minor remarks / suggestions:

  • Line 29-31
    Since Darren's WAIT I prefer that at this moment of the payload. It speeds up things if you don't know the performance of your target in advance...
  • line 32-35
    Not sure why UAC should be triggered in this moment. Seems to me that you entered a command before that you have deleted?
  • Line 43-46
    Why don't you use here "RUN WIN POWERSHELL" as you did before on line 37
  • Line 52 & 55
    Instead of forcing the user to do changes within the payload, I suggest to to use a variable for "service host.txt" in the config part. 

Best regards!

* Line 29-31 if you want you can add that yourself but when/if I am pentesting I would rather not have to change the switch position.

* Line 32-35 Yeah that was a previous command that I removed (is edited now)

* Line 43-46 Because I am using a CNTRL v command that prevents me from doing that (CNTRL v pastes the drive letter of the bunny.)

* Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great!

Share this post


Link to post
Share on other sites
3 hours ago, C1PH3R said:

* Line 52 & 55 I was trying that but I could not get a variable to work with a string instead of numbers suggestions would be great!

well, this should work:

Q STRING 'payloads\'$variable "'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"

Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

 

Edited by GermanNoob

Share this post


Link to post
Share on other sites

well, I tested them in a windows vm and this short test payload works fine with both lines:

LED SETUP
variable=TEST

LED ATTACK
ATTACKMODE HID
WAIT
RUN WIN powershell
sleep 1
Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

LED FINISH

 

Share this post


Link to post
Share on other sites
On 2/13/2018 at 9:17 PM, GermanNoob said:

well, I tested them in a windows vm and this short test payload works fine with both lines:


LED SETUP
variable=TEST

LED ATTACK
ATTACKMODE HID
WAIT
RUN WIN powershell
sleep 1
Q STRING "start 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\"$variable"\'"

LED FINISH

 

Ahh, I see my problem (At least I think)

I used:

variable="TEST"

I've made some edits so it should all be fine now!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...