Wednesday, August 22, 2012

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here https://code.google.com/p/kautilya/

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.


 I would love feedback, bug reports and feature requests. 

2 comments:

  1. I think you should use NumLock check instead of 25 seconds delay.

    int ledkeys(void){return int(keyboard_leds);}
    bool is_num_on(void){return ((ledkeys() & 1) == 1) ? true : false;}

    void wait_for_drivers()
    {
    bool numLockTrap = is_num_on();
    while(numLockTrap == is_num_on())
    {
    Keyboard.set_key1(KEY_NUM_LOCK);
    Keyboard.send_now();
    delay(200);
    Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(200);
    }
    }

    ReplyDelete
    Replies
    1. Thanks for sharing the code. I think I will implement the nice code by Offensive Security guys which is present here https://github.com/offensive-security/peensy both for this purpose and reliable execution. Though I will do it for Teensy without SD card, as whole architecture of Kautilya is to support Teensy (and other HIDs) out ps the box.

      Delete