This is the fifth post in the series of Teensy USB HID for
Penetration Testers. Sorry for the gap between this and the last post (almost
three months). I was not sitting idle
though, I released Nishang in between and there is a new and shiny version of Kautilya
is out :)
Let us have a look at some advanced payloads in
Kautilya.
Hashdump
This payload could be used to dump password hashes from
Windows 7 machine. To use this payload, you have to upload powerdump
meterpreter script from msf to a website (I used pastebin). The script would then be
downloaded on the victim machine later on.
On a Windows 7 machine, you must have SYSTEM privilege to
dump hashes using powerdump script. This SYSTEM privilege could be gained
by scheduling a task as an administrator to be run as system.
The second option asked during payload generation is the name of this task.
Also, this payload pastes the hashes to pastebin as a
private paste. To paste privately, you need a free account on pastebin. You
need to provide username, password and api developer key (under the api link
after you log in to pastebin) for your pastebin account.
Compile the generated output to Teensy, connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload
Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).
Keylogger
This payload runs a keylogger written in powershell and
pastes keys to pastebin as a private paste after a given interval. Here is how to use this:
Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)
Download this and use parsekeys.ps1
script to get some meaningful data. The script requires data from this pastebin
to be copied in a text file called data.txt in the same folder as the script
and creates a file called Logged_keys.txt with the parsed keys. This is how
parsed keys should look.
The keylogger is able to log keys typed in web forms and
windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin
limits the number of posts per day and I think the limit is stricter for
private pastes. You either need a pro account or ask me nicely for implementing
some other paste service ;) In fact, I tested this on tinypaste and it worked
cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed
in many restricted environments as compared to tinypaste.
Wireless Rogue AP
Windows 7 has a nice feature called Hosted Network. This is
meant for sharing your wireless network with other devices. This feature could
be used as a backdoor. This payload adds and starts a wireless hosted network
on the victim. Then a meterpreter bind is executed in the memory using
powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.
You need to generate bind meterpreter payload using the
command in payloadgen.txt in extras
directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya
You should be able to see a wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to
connect to the bind payload but what would be the IP address to connect to?
Open up command prompt and look at the gateway for this wireless connection. As
this is hosted on the victim the default gateway would be the IP of victim.
Connect to the port you used for msf bind payload on the default gateway using msf
listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the
source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".
Connect to Hotspot and Execute Code
I got idea of this payload during an internal pen test. In
case of that client, there was no internet access from the employees’ laptops
barring few (almost 20) websites. In such a scenario, I use this technique
which I call Injecting the Internet…hee hee.
This payload forces the target to connect to a hot spot controlled by
you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.
An ideal use case is using a hot spot hosted on a Smartphone within the
wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.
After connecting the Teensy to a victim, we get this :)
WLAN Keys Dump
This payload dumps information for all wlan profiles on the target system, including the in
clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.
Code Execution using DNS TXT queries
This payload pulls first stage of a meterpreter from a DNS
TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.
The result is same as some of the payloads above. A nice meterpreter shell !
Obviously, you should have control of TXT
records of a domain to use this. I used a domain with zoneedit.com. It is easy
and effective to use.You can fit first stage of a meterpreter inside a single TXT record.
Wait for Command
This payload continuously queries a pastebin url for
specific content. As soon as the content matches, another URL is opened looking
for powershell script. The powershell script is downloaded and executed on the
target.
In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .
This post covered many interesting payloads for Windows in
Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments
and feedback. I would be glad to implement (almost) any feature request.