Wednesday, August 22, 2012

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.

 I would love feedback, bug reports and feature requests. 

Tuesday, August 14, 2012

(Introducing) Nishang : PowerShell for Penetration Testing

I have been using PowerShell in penetration tests for some time now. It is a really powerful shell and scripting language which gives you access to interesting things on a Windows machine. There are many PowerShell scripts involved in Kautilya. In fact, these PowerShell scripts are the reason behind power of Windows payloads in Kautilya.

At some of my talks many nice folks have asked me about the availability of PowerShell scripts for use in Penetration Tests. I started writing new scripts and collecting older ones. After working on this for a while I had some useful collection of payloads and scripts. I call it Nishang. It is available on google code here

Nishang means quiver (container for arrows) in Sanskrit. Apt for a collection of payloads and scripts.

It is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Why PowerShell? It is easy to learn and powerful (think of Bash in Unix ported to Windows) and is present on every modern Windows macine. If you use PowerShell "properly", most of the times you would need practically nothing for post exploitation other than powershell.

Currently, Nishang includes only those payloads and scripts which do not require you to be an administrator on the machine. That is, no priv shell is required. The payloads are of varied complexity (for the user), while there are simpler ones like Download, Keylogger and Information Gatherer to complex ones like DNS_TXT_Pwnage and Wait_For_Command. All the payloads and scripts come with help. Use

PS> Get-Help [payloadname.ps1] -full

for help on executing a script or payload.

How to use it? The scripts can be used either if you have access to powershell prompt (when you have vnc or rdp etc) or if you have a windows command shell on the target. You must download the script on the target machine.

Below screenshots shows a quick example of the Information_Gather payload being downloaded and executed on a target machine.

One liner to download a script on the target

Execute the script. Note the parameters being passed ot the script.

The result of this payload (info uploaded to pastebin)

That was easy. All the scripts could be executed this way. Yay!

A word of caution, it may appear that your session has stuck after you execute the script. But you can eventually make your way out by repeatedly pressing enter. I am unaware of the reason behind this.

What's next? More scripts are in the development pipeline. Many of them require privileged shell on the target. Also, Niklas Goude has allowed me to add his powershell scripts to Nishang. They should be available with next release, thanks Niklas !

Also, the scripts are Tab ugly right now, that would be clean in next release.

I am looking forward for feedbacks, contributions and feature requests. I hope this would be useful.