Saturday, October 27, 2012

Kautilya 0.4.0 - reliable payload execution and more

Kautilya 0.4.0 would be more reliable than ever (at least I intended so). There has been a major change in the architecture thanks to this awesome post by the Offensive Security guys. Large parts of code have been copied from the Peensy standalone.

Two major changes in how generated payloads will execute:

1. Now, whenever you connect a device with a payload from Kautilya, it will check for responsiveness to the Caps Lock key and will continue only when the drivers are loaded properly. The default 25 seconds delay gets out of the windows *phew*.

2. When the drivers are loaded (and is confirmed by step one), the next step is to open a command prompt. To make sure that it has a command prompt, the Teensy is made to press Caps Lock programmatically and then it senses the response. Only after a response it continues to send keystrokes for the rest of the payload. Life just got easier :)

A new payload for Windows, DNS TXT Backdoor has been added. This payload is a powershell script which keeps polling TXT records of a given domain and is capable of executing commands and powershell script based on the TXT record received. Have a look at the below screenshot

The subdomain "" is one whose TXT records would be queried continuously for instructions. The payload will keep querying this subdomain.

If it gets "begin" as the value of TXT record of "", it will query "" for commands to execute on the target machine.

If it gets "script7" in response. It will query upto for seven lines of powershell script, that is, in this string the last character should be equal to number of lines in your powershell script. Each line should be base64 encoded in a single TXT record :) The script is decoded on the target and executed. The payload dies afterwards. Ugly, but works ;)

Another nice thing added is credential validation by the Credentials payload. Now, whenever credentials are entered in the pop up asking for credentials, they will be validated against local accounts and default AD, if both are not validated the box appears again. Increased probability of getting credentials in plain :)

In other things,I removed two unstable (read unusable) payloads, Chrome RDP and Uninstall. The Chrome RDP payload is gone for good and Uninstall would be back in a future release after it is rewritten and made usable.

Here is the CHANGELOG

- Added Peensy functionality which means reliable execution of payloads and measured delays when the device is connected.
- Added "DNS TXT Backdoor" payload for Windows.
- Fixed a small bug in Rogue AP payload. The SSID key was not masked previously.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Fixed a major bug in Time Based Execution payload. Embarrassingly, "echo" was missing from various lines of the payload,  making it ineffective.
- Added osx_payloadgen.txt to the extras directory. It was somehow missed in 0.3.0
- Fixed a small bug in Information Gather payload.
- Added sniffer.ps1 to the extras directory.
- Minor changes in Tracking Target Connectivity payload.
- Removed Chrome RDP Payload. Was not really useful.
- Removed Uninstall payload till next release.

As always, I welcome feedback, bug reports, questions and feature requests.