Thursday, February 11, 2016

Hacking with Human Interface Devices - Easy Reverse Shells


Kautilya has the ability to do interesting and useful stuff using a Human Interface Device. But sometimes, nothing beats a simple reverse shell. Recently, I added some new payloads to Kautilya which are useful for getting reverse shells using different protocols.

This post describes the payloads which give us the capability of having reverse connect PowerShell shells from Windows targets. With these payloads, Kautilya now has improved capability to provide us with a foothold machine in penetration testing engagements where use of Social Engineering techniques is allowed. Those who follow my other tool Nishang, I did a five part blog series on that.


Lets see the payloads in action.

Reverse TCP and Reverse UDP

Both of the payloads can be used with a standard netcat listener both on Windows and Linux. On Windows, Powercat can also be used. We just need to provide the IP to which the target connects back and the port to use. Upload it to a HID and send it to a target.

When a target connects the device, this is how it looks like at the listener.

Neat! An intercative reverse PowerShell shell. 

Reverse ICMP


My favorite one for bypassing network restrictions, a reverse shell completely over ICMP. This payload needs a listener, icmpsh_m.py, from the icmpsh suite. Run the command "sysctl -w net.ipv4.icmp_echo_ignore_all=1" and start the listener.  This is how it looks like on a successful connection:


This one has been useful in so many penetration tests.

Reverse HTTPS and Reverse HTTP

Reverse HTTPS is proxy aware and uses valid HTTPS traffic for reverse PowerShell shell. Its target part (typing done on the target machine) is very small and this makes it very useful. Currently, a listener on Windows is required. Run Invoorke-PoshRatHttps.ps1 in the extras directory of Kautilya from an elevated shell. The listener script adds exception to the Windows Firewall for incoming requests on the specified port.

Awesome, isn;t it?

Hope you liked the post! As always I look forward for feedback and comments.


Learn penetration testing of a highly secure live Windows network with me in PowerShell for Penetration Testers Training at:

CanSecWest, Vancouver (4 days - March 12-15th, 2016) - https://cansecwest.com/dojos/2016/powershell.html



9 comments:

  1. Hey great job on this tool but can i ask which arduino models supports or which microprocessors can run this ? Want to find or make a small model of uno that suppports payloads and will be cheaper

    ReplyDelete
  2. Does micro port of tool can be run on every 32u4 processors or not ?

    ReplyDelete
    Replies
    1. For example can micro port run on beetle

      Delete
    2. Hey,

      I *believe* it should work on every 32u4 processor. Unfortunately, never tested it on anything other than the Teensy. I think the cheapest thing available on which Kautilya should work is Pololou A-Star https://www.pololu.com/product/3101

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi nikhil thanks for your hard work i have a question after generating the reverse tcp payload and pass it to the victim computer with teensy how im opening the listener what's the command? Thanksss

    ReplyDelete
    Replies
    1. Hi,

      You need to manually start a listener on the attacking machine. A simple netcat listener is good enough for TCP and UDP shells.

      Delete
  5. Great content indeed.
    Very Useful post.
    Thanks for providing it
    โกเด้นสล็อต

    ReplyDelete
  6. They can test the security (by attempting to hack as a would-be attacker,) looking for anything exploitable. If found, they are to report their findings to the appropriate programmer so the issue can be fixed.BluePortal.org

    ReplyDelete