I’ve been using TrustedSec’s Unicorn a LOT over the past few months. In fact, it’s become my go-to payload to pop a box. While it’s awesome to be able to paste a command and get a shell, sometimes an EXE is required. For those cases, I’ve made a script to make the whole process automated: powershell_exe.py tl;dr powershell_exe.py uses winrar’s commandline options under wine to make a self-extracting archive. Source Setup instructions cd /opt git clone https://github.com/trustedsec/unicorn.git cd ~/Desktop wget http://www.rarlab.com/rar/wrar511.exe wine wrar511.exe Now just go through the default options of winrar to finish the install. Usage: python power_exe.py <payload>... [Read More]

I had the opportunity to take part in the Pacific Rim CCDC this past weekend and it was a BLAST! It was my first CCDC, so I really didn’t know what to expect. I did know that the last thing I would want to be doing is installing and configuring tools during test time. Kali I err’d on the side of installing tools I may not use rather than not installing something I would need. I’ve got a goto script I use for my setting up a Kali VM and customizing. It installs a ton of tools and scripts that I use. The script can be found here. Then, I made some manual tweaks: Change root password Enable autologin within <code class="language-plaintext... [Read More]

Persistence is a great thing to have on a pentest, especially if testing from the outside. Persistence also seems to be a word that makes clients’ hairs on the back of their necks stand up. Backdoors are a scary thing if you’re in charge of keeping a network secure. When it comes to installing persistence, there are quite a few options available such as Metasploit’s persistence module or scheduleme.rb. These modules leave a permanent, like one would think, payload and schedule for phoning home to the tester’s box. But what about when this is out of scope? Here’s a method to keep a payload phoning home but leaves no permanent effects. Using WinRAR, we can pack our payload with a vbscript that sleeps... [Read More]

Veil is awesome - it makes payload generation easy and supports a wide variety of payloads with new ones being dropped pretty often. Getting caught by AV during a test is not awesome. Being caught because the target’s AV had a signature hit on you is even worse. Because YOU (the tester) messed up. You didn’t take the extra few minutes to regenerate a payload. I’ve been there and I’m sure you’ve been there. It sucks and you feel silly. The solution? Use Veil’s command line options and cron to regenerate payloads every 30 minutes. Server Build This is the basic build. Let’s assume that you have a server that you catch social engineering payloads on. Static IP (or domain). For setup, make a directory... [Read More]

There are a number of commands that tend to get run on every session on a target I get in Metasploit. Using resource files, these commands can be automated to dump as much information as possible, as quickly as possible. This can be combined with an MSFConsole autostart script to automate the starting of handlers and pre-fill options for post modules that don’t need to be run on every session. First we make a new file for the autorunscript to be run on each new session: nano /infogather and paste the following in the file: run migrate -f screenshot -v false ps ipconfig sysinfo run post/windows/gather/enum_shares run post/windows/gather/enum_domain_group_users group="Domain Admins" run post/windows/gather/checkvm screenshot -v false background Each command... [Read More]