Author Topic: Project Shebang  (Read 2458 times)

0 Members and 2 Guests are viewing this topic.

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Project Shebang
« on: June 12, 2014, 08:16:23 pm »
Heya fellas, I was thinking about writing script,probably batch, which when run will:

1.Copy a reverse-shell executable(written in python) to the host and make it run at startup

2.Replace the Sticky keys application with a cmd.exe

3.Dump the SAM database

4.Save a rough directory listing of folders like My Documents etc

And whole lot of other stuff i'm yet to think of.


Loaded on a USB stick. I'll have to run it myself of course but is there a way to automate it?

Offline ThePH30N1X

  • Peasant
  • *
  • Posts: 50
  • Cookies: 18
  • Java Programmer
    • View Profile
Re: Project Shebang
« Reply #1 on: June 12, 2014, 09:09:29 pm »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Project Shebang
« Reply #2 on: June 12, 2014, 09:31:55 pm »
This is what he's looking for: https://evilzone.org/projects-and-discussion/teensy-dropper-project-details-and-progress/
Autorun is dead, forget about it. HID is the future.

Python reverse shell sounds ridiculous. A regular user won't have python installed and on linux it can just be blocked. I'd go for netcat or at least a MSF generated reverse shell...

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Re: Project Shebang
« Reply #3 on: June 12, 2014, 09:41:12 pm »
This is what he's looking for: https://evilzone.org/projects-and-discussion/teensy-dropper-project-details-and-progress/
Autorun is dead, forget about it. HID is the future.

Python reverse shell sounds ridiculous. A regular user won't have python installed and on linux it can just be blocked. I'd go for netcat or at least a MSF generated reverse shell...

I was gonna compile the script to .exe with py2exe or pyinstaller. Plus i just wanted the feel of writing a reverse shell ;D I've been checking out HID but i'm not sure i can get the hardware. I'll continue reading up on it though

Offline frog

  • Knight
  • **
  • Posts: 232
  • Cookies: 16
    • View Profile
Re: Project Shebang
« Reply #4 on: June 13, 2014, 02:42:12 am »
I was gonna compile the script to .exe with py2exe or pyinstaller. Plus i just wanted the feel of writing a reverse shell ;D I've been checking out HID but i'm not sure i can get the hardware. I'll continue reading up on it though

That will work, you could have the initial batch file save the py2exe generated directory(which contains the executable, some python c-modules and some .dlls for functionality) to the user's appdata/local(to hide) but you will need admin privileges to write registry keys for the startup process.

You don't need admin priveleges to copy to (C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>) which will achieve the same result as writing to the key in the registry. It will run when the user logs in. Right now I have a shortcut to the Rainmeter binary lurking in my startup folder.

Next have the batch file generate another .bat that points to your .exe in and save it to the startup folder previously mentioned and that SHOULD work.

Since you will be launching the batch file manually(at least for now), you will be able to start the batch file as admin and you can set things up a lot better. First off read this article about alternate data streams and you will see the potential for hiding your .exe even further. Imagine having your .exe hidden inside of another one, let's say explorer.exe.

The result will be that every time explorer.exe runs your binary will also run, inside the original process! This means it doesn't show in task manager, only the original explorer.exe shows in the list with slightly more memory usage than normal. I haven't tried this with explorer.exe but I know for a fact it works with other .exe's.

Read the attachment.

Also, here's a link for a cheap hid device.
https://www.pjrc.com/store/teensy31.html

Works with arduino IDE, with Teensyduino plugin available for free on the site in the link.
« Last Edit: June 13, 2014, 02:44:58 am by frog »

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Re: Project Shebang
« Reply #5 on: June 13, 2014, 04:21:17 am »
Thanks a lot frog. That's pretty useful stuff. Originally i planned on simply copying the files to the directories and editing the registry but your way sounds interesting. Plus the .exe in .exe info looks great. I'll be sure to look into it.

Gonna have to put a hold on the Teensy though. Ordering stuff from here is murder.

But thanks again. I'll keep y'all posted. ;D

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Project Shebang
« Reply #6 on: June 13, 2014, 07:17:52 am »
I have Teensy2.0, it's kinda cheap and cool. Don't bother with the SDcard shield tho, it's useless.
py2exe for a reverse shell sounds like an overkill bro. There are plenty of example code to do it in C/++. Much better that way, and as I said before, there's always Netcat.

Offline frog

  • Knight
  • **
  • Posts: 232
  • Cookies: 16
    • View Profile
Re: Project Shebang
« Reply #7 on: June 13, 2014, 08:03:38 am »
Thanks a lot frog. That's pretty useful stuff. Originally i planned on simply copying the files to the directories and editing the registry but your way sounds interesting. Plus the .exe in .exe info looks great. I'll be sure to look into it.

Gonna have to put a hold on the Teensy though. Ordering stuff from here is murder.

But thanks again. I'll keep y'all posted. ;D

No problem, just trying to keep the wheels turning.. Where are you at in the world? Just curious about your reasoning on ordering things.

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Re: Project Shebang
« Reply #8 on: June 13, 2014, 07:10:21 pm »
I have Teensy2.0, it's kinda cheap and cool. Don't bother with the SDcard shield tho, it's useless.
py2exe for a reverse shell sounds like an overkill bro. There are plenty of example code to do it in C/++. Much better that way, and as I said before, there's always Netcat.

True.It would be better that way. However my original plan for the reverse shell was to connect back based on my MAC address. So regardless of my IP the shell can still find me. It's mainly for the WLAN at school. People log on and off so IPs aren't constant.
My C isn't that good either ;D so i thought I'd use Python as proof of concept. Maybe later code it in C.

What do you think?

No problem, just trying to keep the wheels turning.. Where are you at in the world? Just curious about your reasoning on ordering things.

Ghana..shipping isn't exactly a breezy down here and the rates are sky high.

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Project Shebang
« Reply #9 on: June 13, 2014, 09:11:10 pm »
I'd like to see how you will identify yourself in the world with just a MAC...
Python as a POC, yeah that sounds good. Tho I recommend to switch to C on normal basis.

Offline frog

  • Knight
  • **
  • Posts: 232
  • Cookies: 16
    • View Profile
Re: Project Shebang
« Reply #10 on: June 13, 2014, 11:32:09 pm »
I'd like to see how you will identify yourself in the world with just a MAC...
Python as a POC, yeah that sounds good. Tho I recommend to switch to C on normal basis.

If it's on an intranet(the LAN); no problem. Just use arp request packets to find the mac and corresponding IP.

I'm surprised how many people are from a different country than me on this site. I like it.

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Re: Project Shebang
« Reply #11 on: June 14, 2014, 01:16:07 am »
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.

Offline frog

  • Knight
  • **
  • Posts: 232
  • Cookies: 16
    • View Profile
Re: Project Shebang
« Reply #12 on: June 14, 2014, 12:02:38 pm »
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.

There are other packet capture and packet decoding/encoding for python. Here's a couple. You might have to have specific version of Python though.

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
https://code.google.com/p/dpkt/

Problem is there's not a ton of documentation for these modules.

You could also craft the RARP request from scratch using raw sockets, but I think I found what you are looking for; this library can craft RARP packets:
https://pypi.python.org/pypi/arp/1.0
« Last Edit: June 14, 2014, 12:02:46 pm by frog »

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Project Shebang
« Reply #13 on: June 14, 2014, 01:43:28 pm »
Yeah it's on LAN.WLAN to be exact.I read up on ARP requests and it looks like it's only good for looking up the MAC address with the IP. The opposite is RARP but it seems it's not activated by default. I was planning on sending a SYN packet with my MAC using Scapy and reading the IP from the ACK packet. Then connecting via Socket with that. Only problem is downloading all the files needed to run Scapy on Windows. The sites seem to be down from here.
You are making this very difficult on yourself, I suggest reading up a bit on TCP/IP
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline DeXtreme

  • Peasant
  • *
  • Posts: 95
  • Cookies: 8
  • I was there and you never knew.
    • View Profile
    • My Designs
Re: Project Shebang
« Reply #14 on: June 15, 2014, 10:57:08 pm »
There are other packet capture and packet decoding/encoding for python. Here's a couple. You might have to have specific version of Python though.

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pcapy
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket
https://code.google.com/p/dpkt/

Problem is there's not a ton of documentation for these modules.

You could also craft the RARP request from scratch using raw sockets, but I think I found what you are looking for; this library can craft RARP packets:
https://pypi.python.org/pypi/arp/1.0

Cool. Thanks again frog.



You are making this very difficult on yourself, I suggest reading up a bit on TCP/IP

 ;D Great advice. Shoulda done this before getting so specific. I am not done read this TCP/IP book i got but a quick question;

Instead of using MAC, could i just query the network's DNS server with my computer name?