tag:blogger.com,1999:blog-8135211063584500909.post507361278766474778..comments2023-10-02T15:18:02.659+05:30Comments on Lab of a Penetration Tester: Teensy USB HID for Penetration Testers - Part 5 - Advanced Windows Payloads of KautilyaNikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-8135211063584500909.post-56896965452674293682014-11-30T12:15:11.211+05:302014-11-30T12:15:11.211+05:30Awesome Work !!!Awesome Work !!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-7648663288449596242014-11-24T04:05:08.403+05:302014-11-24T04:05:08.403+05:30Nikhil,
Awesome work man!! Just awesome. I want t...Nikhil,<br /><br />Awesome work man!! Just awesome. I want to work with you to build a new product, (really an improvement to an existing) a peensy. I want to add a Fram memory module to a Teensy 3.1 and create different versions for specific OS/Systems.Anonymoushttps://www.blogger.com/profile/09674278426964167920noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-16671885906173310482013-10-20T23:40:27.832+05:302013-10-20T23:40:27.832+05:30Sure, payloads for OS X are:
1. Download and Exec...Sure, payloads for OS X are:<br /><br />1. Download and Execute<br />2. DNS TXT Code Execution<br />3. Perl Reverse Shell (MSF)<br />4. Ruby Reverse Shell (MSF)Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-50068572438899203392013-10-18T15:35:26.337+05:302013-10-18T15:35:26.337+05:30Hi again,
Could you possibly provide a link or a ...Hi again,<br /><br />Could you possibly provide a link or a screenshot of the options/payloads for OS X?<br /><br />Thanks.Samhttps://www.blogger.com/profile/15035195813441371123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-66348308341008012282013-05-23T14:55:40.535+05:302013-05-23T14:55:40.535+05:30Also, code contributions are always welcoe. Please...Also, code contributions are always welcoe. Please let me know if you want to contribute.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-73518891327271565902013-05-23T11:32:03.196+05:302013-05-23T11:32:03.196+05:30Thank you. Yes that is what I was thinking of. Kau...Thank you. Yes that is what I was thinking of. Kautilya will support the SD card in a near future release.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-23217843973607305242013-05-23T11:28:05.327+05:302013-05-23T11:28:05.327+05:30Hi Nikhil,
this sound really awesome. What about ...Hi Nikhil,<br /><br />this sound really awesome. What about the following, the sdcard could be optionally, means, if no sd is attached, online-version, if and sd is attached and mountable, offline version.<br /><br />let me know when you need some support, i really love your project. <br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-28181456618411661712013-05-21T16:13:14.601+05:302013-05-21T16:13:14.601+05:30One more thing, many environments block a storage ...One more thing, many environments block a storage device, even if the internal storage is used it may get blocked. Anyway, I will look to what extent storage could be supported while maintaing an ease of usage.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-26229322759007045242013-05-21T16:07:56.157+05:302013-05-21T16:07:56.157+05:30Hi,
Thanks for your nice words. I need to do some...Hi,<br /><br />Thanks for your nice words. I need to do some teting for ascii support, hopefuly this would be addressed in next major release.<br /><br />Most of the payloads are offline. Only those payloads download scripts from the internet which are big (like hashdump and sniffer) and take considerable time for typing. I will see if it would be feasible to type them locally.<br /><br />Regarding the "universal teensy", I have not implemented any SD card method to keep the "learning curve" simple for new users. I want to support a Teensy (or other HID) out of the box, that is, without a need to attach a SD card etc. <br /><br />Other than that, all the payloads of Kautilya are designed so that the device need not be connected to the target for more than 30-40 seconds. More functionality in a single payload means more time required for typing, thus more time on the target.<br /><br />Although given there is a demand I will introduce an option or seperate payloads which make use of SD card in future.<br /><br />Thanks,<br />NikhilNikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-76360923087232453722013-05-21T15:41:35.937+05:302013-05-21T15:41:35.937+05:30Hi,
really great work. i have some issues with a ...Hi,<br /><br />really great work. i have some issues with a german keyboard, which is allready described here:<br /><br />https://groups.google.com/forum/?fromgroups#!topic/kautilya-users/ZWXX989w2LY<br /><br />i hope it will be solved soon.<br /><br /><br />some questions: what about an offline-version without going to the internet and downloading the script from pastebin or whatever?<br /><br />and, 1+ for the Post from Andy: i would like to see a universal teensy which dumps every kind of passwords from the local machine and put them to a sd on the teensy or something. why? sometimes local clients are not allowed to use the internet.....<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-20815555989966894232012-11-20T23:24:49.753+05:302012-11-20T23:24:49.753+05:30Thanks Andy, this looks nice. I will do some testi...Thanks Andy, this looks nice. I will do some testing on this soon. Lets see how it goes.Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-33882175024872810052012-11-20T17:42:29.989+05:302012-11-20T17:42:29.989+05:30ok, formatting got lost.
better check for the orig...ok, formatting got lost.<br />better check for the original link here: <br />tp://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx<br /><br />Or you could also try this one:<br />http://jeffwouters.nl/index.php/2011/11/having-some-fun-with-uac-and-powershell/<br /><br />Regards<br />AndyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-24560628950169542622012-11-20T17:40:16.275+05:302012-11-20T17:40:16.275+05:30Well I tested around a bit and didn't find a d...Well I tested around a bit and didn't find a direct way to "re-focus". <br /><br />But I found another way how to bypass that issue (from here: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx). <br /><br />The powershell script below ist some kind of "sudo". You can run a unprivileged powershell (in background), then echo the lines of the script to a "elevate.ps1" script that starts the argumented script in elevated mode. That said it opens the UAC message, after clicking "OK" the script is executed with administrator privileges.<br /><br /><br />-------------- powershell sudo ----------------<br /># Get the ID and security principal of the current user account <br />$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() <br />$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) <br /><br /># Get the security principal for the Administrator role <br />$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator <br /><br /># Check to see if we are currently running "as Administrator" <br />if ($myWindowsPrincipal.IsInRole($adminRole)) <br /> { <br /> # We are running "as Administrator" - so change the title and background color to indicate this <br /> $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)" <br /> $Host.UI.RawUI.BackgroundColor = "DarkBlue" <br /> clear-host <br /> } <br />else <br /> { <br /> # We are not running "as Administrator" - so relaunch as administrator <br /> # Create a new process object that starts PowerShell <br /> $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"; <br /> # Specify the current script path and name as a parameter <br /> $newProcess.Arguments = $myInvocation.MyCommand.Definition; <br /> # Indicate that the process should be elevated <br /> $newProcess.Verb = "runas"; <br /> # Start the new process <br /> [System.Diagnostics.Process]::Start($newProcess); <br /> # Exit from the current, unelevated, process <br /> exit <br /> } <br /># Run your code that needs to be elevated here <br />Write-Host -NoNewLine "Press any key to continue..." <br />$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-20289596126524356442012-11-09T19:57:20.156+05:302012-11-09T19:57:20.156+05:30Thanks for your comments.
The powershell hidden w...Thanks for your comments.<br /><br />The powershell hidden window thing looks cool. I did a quick check and facing some issues with it.<br /><br />For a "normal" powershell window this seems to work fine. But when I try to start an elevated powershell window, the hidden window is not focused anymore. Anything typed by Teensy is not being sent to the screen. Have you tried doing that?Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-14433314425489652502012-11-05T15:42:03.689+05:302012-11-05T15:42:03.689+05:30Hi Nikhil,
I'm following your teensy posts no...Hi Nikhil,<br /><br />I'm following your teensy posts now for a while and have ordered some devices for security awareness trainings here in my company. They are really awesome because they create a "Wow-effect".<br />I also checked the Peensy post and I have to say, it's becoming better and better.<br /><br />Last weekend I was playing a bit with powershell as I was a little bit unhappy with the cmd.exe. (You can see what is entered on the screen). <br />I found this very cool:<br />Just try WINDOWS+R and then type the following:<br />powershell.exe -WindowStyle Hidden powershell.exe<br /><br />The opened powershell window is shown for about a second and then disapears. After that you can keep on typing (just try something like notepad.exe), because the window is still in the foreground, but invisible. It appears in the task manager but not in the task list (ALT+TAB).<br /><br />I'm currently on trying some things. I'd like to do the following:<br /><br />1. Plug in Teensy<br />2. Teensy starts hidden powershell<br />3. Hidden powershell checks if a script is running (one liner, typed by teensy, if yes --> sleep n seconds, if no goto 4 ). So the hidden powershell becomes the root handler.<br />4. Type script lines >> scriptfile<br />5. execute scriptfile (again with the hidden option)<br /><br />The scriptfile itself should do the following things:<br />- do some state handling (running 1 or 0)<br />- act as Handler for different attack-scriptfiles (like download scriptfile posted on pastebin or others)<br />- start different scriptfiles<br /><br /><br />In the end the teensy would just start a handler if it is not running. The handler itself would then start the attack scripts.<br />This could reduce some side effects if the teensy is plugged in and tries to do some typings.<br /><br />Regards<br />AndyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-83121326997629101232012-09-10T04:47:52.616+05:302012-09-10T04:47:52.616+05:30Ahhhhh I see. But still a useful module nonetheles...Ahhhhh I see. But still a useful module nonetheless. And you can make an option to kill the persistence and clean up by querying a pastebin script every day or so! Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-31771465363516125502012-09-08T23:25:15.718+05:302012-09-08T23:25:15.718+05:30Not now. It would be persistent in the next update...Not now. It would be persistent in the next update or one after that. You can achieve some persistent by using it is a start-up/logon script or scheduling it as task. Perhaps I should do a blog post on this :)Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-47356781333329082462012-09-07T08:34:30.431+05:302012-09-07T08:34:30.431+05:30Hi Nikhil, it's the same person that commented...Hi Nikhil, it's the same person that commented first on this post ;)<br /><br />Anyways, for the keylogger module, is it persistent? Or does the effect terminate once the computer is turned off?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-5899057205963371932012-09-05T22:53:41.964+05:302012-09-05T22:53:41.964+05:30Please post a way to get admin rights from limited...Please post a way to get admin rights from limited account :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-43688718085001775722012-09-04T01:02:27.921+05:302012-09-04T01:02:27.921+05:30Thanks a lot. I am glad you liked it :)Thanks a lot. I am glad you liked it :)Nikhil SamratAshok Mittalhttps://www.blogger.com/profile/02092541175521734123noreply@blogger.comtag:blogger.com,1999:blog-8135211063584500909.post-24613284904311898232012-09-03T23:17:12.755+05:302012-09-03T23:17:12.755+05:30I'm loving all of this. I'm getting my tee...I'm loving all of this. I'm getting my teensy ++ tomorrow and I'm quite excited to try all of this out. Keep up the good work! The wait for command is an ingenious idea :DAnonymousnoreply@blogger.com