Nishang 0.2.0 - More PowerShell awesomeness

Behold world, I give you a new and shiny version of Nishang after a long gap :) I have been using PowerShell more and more by each pen test so expect even more awesomeness.

This is a major release and all of the new payloads are courtesy Niklas Goude. Below is the changelog.

- Removed hard coded strings from DNS TXT Pwnage payload.
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
- Added Enable_DuplicateToken payload.
- Added Get-LSASecret payload.
- Added Get-SqlSysLogin payload.
- Added Invoke-Medusa payload.
- Added Invoke-PingSweep payload.

Check out the repository (http://code.google.com/p/nishang/source/browse/trunk) for the latest code.
The new payloads were discussed by Niklas on the awesome Hey, Scripting Guy! Blog.

I am working on many new payloads and you could expect frequent updates. Keep any eye on this blog :)

I would really like feedback, comments and feature requests :)

Kautilya 0.4.0 - reliable payload execution and more

Kautilya 0.4.0 would be more reliable than ever (at least I intended so). There has been a major change in the architecture thanks to this awesome post by the Offensive Security guys. Large parts of code have been copied from the Peensy standalone.

Two major changes in how generated payloads will execute:

1. Now, whenever you connect a device with a payload from Kautilya, it will check for responsiveness to the Caps Lock key and will continue only when the drivers are loaded properly. The default 25 seconds delay gets out of the windows *phew*.

2. When the drivers are loaded (and is confirmed by step one), the next step is to open a command prompt. To make sure that it has a command prompt, the Teensy is made to press Caps Lock programmatically and then it senses the response. Only after a response it continues to send keystrokes for the rest of the payload. Life just got easier :)


A new payload for Windows, DNS TXT Backdoor has been added. This payload is a powershell script which keeps polling TXT records of a given domain and is capable of executing commands and powershell script based on the TXT record received. Have a look at the below screenshot

The subdomain "start.example.com" is one whose TXT records would be queried continuously for instructions. The payload will keep querying this subdomain.

If it gets "begin" as the value of TXT record of "start.example.com", it will query "cmds.example.com" for commands to execute on the target machine.

If it gets "script7" in response. It will query 1.otherexample.com upto 7.otherexample.com for seven lines of powershell script, that is, in this string the last character should be equal to number of lines in your powershell script. Each line should be base64 encoded in a single TXT record :) The script is decoded on the target and executed. The payload dies afterwards. Ugly, but works ;)

Another nice thing added is credential validation by the Credentials payload. Now, whenever credentials are entered in the pop up asking for credentials, they will be validated against local accounts and default AD, if both are not validated the box appears again. Increased probability of getting credentials in plain :)

In other things,I removed two unstable (read unusable) payloads, Chrome RDP and Uninstall. The Chrome RDP payload is gone for good and Uninstall would be back in a future release after it is rewritten and made usable.


Here is the CHANGELOG

- Added Peensy functionality which means reliable execution of payloads and measured delays when the device is connected.
- Added "DNS TXT Backdoor" payload for Windows.
- Fixed a small bug in Rogue AP payload. The SSID key was not masked previously.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Fixed a major bug in Time Based Execution payload. Embarrassingly, "echo" was missing from various lines of the payload,  making it ineffective.
- Added osx_payloadgen.txt to the extras directory. It was somehow missed in 0.3.0
- Fixed a small bug in Information Gather payload.
- Added sniffer.ps1 to the extras directory.
- Minor changes in Tracking Target Connectivity payload.
- Removed Chrome RDP Payload. Was not really useful.
- Removed Uninstall payload till next release.

As always, I welcome feedback, bug reports, questions and feature requests.

Teensy USB HID for Penetration Testers - Part 5 - Advanced Windows Payloads of Kautilya

This is the fifth post in the series of Teensy USB HID for Penetration Testers. Sorry for the gap between this and the last post (almost three months).  I was not sitting idle though, I released Nishang in between and there is a new and shiny version of Kautilya is out :)

Let us have a look at some advanced payloads in Kautilya.

Hashdump

This payload could be used to dump password hashes from Windows 7 machine. To use this payload, you have to upload powerdump meterpreter script from msf to a website (I used pastebin).  The script would then be downloaded on the victim machine later on.

On a Windows 7 machine, you must have SYSTEM privilege to dump hashes using powerdump script. This SYSTEM privilege could be gained by scheduling a task as an administrator to be run as system. The second option asked during payload generation is the name of this task.

Also, this payload pastes the hashes to pastebin as a private paste. To paste privately, you need a free account on pastebin. You need to provide username, password and api developer key (under the api link after you log in to pastebin) for your pastebin account. 

Compile the generated output to Teensy, connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload

 Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).

Keylogger

This payload runs a keylogger written in powershell and pastes keys to pastebin as a private paste after a given interval. Here is how to use this:

Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)

Download this and use parsekeys.ps1 script to get some meaningful data. The script requires data from this pastebin to be copied in a text file called data.txt in the same folder as the script and creates a file called Logged_keys.txt with the parsed keys. This is how parsed keys should look.

The keylogger is able to log keys typed in web forms and windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin limits the number of posts per day and I think the limit is stricter for private pastes. You either need a pro account or ask me nicely for implementing some other paste service ;) In fact, I tested this on tinypaste and it worked cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed in many restricted environments as compared to tinypaste.

Wireless Rogue AP

Windows 7 has a nice feature called Hosted Network. This is meant for sharing your wireless network with other devices. This feature could be used as a backdoor. This payload adds and starts a wireless hosted network on the victim. Then a meterpreter bind is executed in the memory using powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.

You need to generate bind meterpreter payload using the command in payloadgen.txt in extras directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya

You should be able to see a  wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to connect to the bind payload but what would be the IP address to connect to? Open up command prompt and look at the gateway for this wireless connection. As this is hosted on the victim the default gateway would be the IP of victim.

Connect to the port you used for msf bind payload on the default gateway using msf listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".

Connect to Hotspot and Execute Code

I got idea of this payload during an internal pen test. In case of that client, there was no internet access from the employees’ laptops barring few (almost 20) websites. In such a scenario, I use this technique which I call Injecting the Internet…hee hee.  

This payload forces the target to connect to a hot spot controlled by you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.

An ideal use case is using a hot spot hosted on a Smartphone within the wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.

After connecting the Teensy to a victim, we get this :)

WLAN Keys Dump

This payload dumps information for all wlan profiles on the target system, including the in clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.

Code Execution using DNS TXT queries

This payload pulls first stage of a meterpreter from a DNS TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.

The result is same as some of the payloads above. A nice meterpreter shell !

Obviously, you should have control of TXT records of a domain to use this. I used a domain with zoneedit.com. It is easy and effective to use.You can fit first stage of a meterpreter inside a single TXT record.

Wait for Command

This payload continuously queries a pastebin url for specific content. As soon as the content matches, another URL is opened looking for powershell script. The powershell script is downloaded and executed on the target.

 In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .

This post covered many interesting payloads for Windows in Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments and feedback. I would be glad to implement (almost) any feature request.

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here https://code.google.com/p/kautilya/

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.


 I would love feedback, bug reports and feature requests. 

(Introducing) Nishang : PowerShell for Penetration Testing

I have been using PowerShell in penetration tests for some time now. It is a really powerful shell and scripting language which gives you access to interesting things on a Windows machine. There are many PowerShell scripts involved in Kautilya. In fact, these PowerShell scripts are the reason behind power of Windows payloads in Kautilya.

At some of my talks many nice folks have asked me about the availability of PowerShell scripts for use in Penetration Tests. I started writing new scripts and collecting older ones. After working on this for a while I had some useful collection of payloads and scripts. I call it Nishang. It is available on google code here http://code.google.com/p/nishang/

Nishang means quiver (container for arrows) in Sanskrit. Apt for a collection of payloads and scripts.

It is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Why PowerShell? It is easy to learn and powerful (think of Bash in Unix ported to Windows) and is present on every modern Windows macine. If you use PowerShell "properly", most of the times you would need practically nothing for post exploitation other than powershell.

Currently, Nishang includes only those payloads and scripts which do not require you to be an administrator on the machine. That is, no priv shell is required. The payloads are of varied complexity (for the user), while there are simpler ones like Download, Keylogger and Information Gatherer to complex ones like DNS_TXT_Pwnage and Wait_For_Command. All the payloads and scripts come with help. Use

PS> Get-Help [payloadname.ps1] -full

for help on executing a script or payload.

How to use it? The scripts can be used either if you have access to powershell prompt (when you have vnc or rdp etc) or if you have a windows command shell on the target. You must download the script on the target machine.

Below screenshots shows a quick example of the Information_Gather payload being downloaded and executed on a target machine.

One liner to download a script on the target

Execute the script. Note the parameters being passed ot the script.

The result of this payload (info uploaded to pastebin)

That was easy. All the scripts could be executed this way. Yay!

A word of caution, it may appear that your session has stuck after you execute the script. But you can eventually make your way out by repeatedly pressing enter. I am unaware of the reason behind this.

What's next? More scripts are in the development pipeline. Many of them require privileged shell on the target. Also, Niklas Goude has allowed me to add his powershell scripts to Nishang. They should be available with next release, thanks Niklas !

Also, the scripts are Tab ugly right now, that would be clean in next release.

I am looking forward for feedbacks, contributions and feature requests. I hope this would be useful.