Bot releases are hidden (Show)
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret keyand another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'. (in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload or the dropper) with administrator privileges, unlocks ALL C2 server modules (AMSI bypass + Execution_Policy bypass ).
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
This update adds new modules, fixes modules being flagged by AMSI (Anti-Virus)
And review all Meterpeter C2 (server) indevidual modules for errors\bugs\fast_improvements.
Meterpeter Prompt | Module Name | Module Description | Module Options | State |
---|---|---|---|---|
:meterpeter:Adv:Processes> | kill | kill process by is PID number | *** | new option |
:meterpeter:Adv:Browser> | Clean | Clean major browsers temporary files | *** | new module |
:meterpeter:Keylogger> | SocialMedia | capture keyboard keystrokes from fb and twitter | Start, Stop, Schedule, Delay Force, SendToPasteBin | new module |
:meterpeter:Post> | Msstore | Manage microsoft store programs | list,discover,install,uninstall | new module |
:meterpeter:Post:Escalate> | Uacpriv | use RUNAS to spawn UAC dialogbox (user->admin) | *** | new module |
:meterpeter:Post:Passwords> | DumpSam | Dump hashs from registry hives. | *** | new module |
:meterpeter:Post:Passwords> | Browser | Dump stored credentials. | *** | *AMSI bypass* |
:meterpeter:Post:Passwords> | Putty | Leak PUTTY session(s) credentials (regedit) | *** | new module |
:meterpeter:Post:PhishCred> | Start | Phish for remote credentials | *** | new msgbox added |
:meterpeter:Post:AMSIPatch> | Console | Disable AMS1 within current process | Console,,FilePath,PayloadUrl | *AMSI bypass* |
:meterpeter:Pranks> | WindowsUpdate | Windows fake update full screen prank (browser) | *** | new module |
:meterpeter:Pranks> | LabelDrive | Rename drive letter (C:) label (display name) | list,rename | new module |
:meterpeter:Pranks> | criticalerror | fake a system critical error (bsod) | *** | *AMSI bypass* |
:meterpeter:Pranks> | BallonTip | Show a ballon tip in the notification bar | Title,Text,IconType,AutoClose | new module |
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running (processname or pid)
|__ Tasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ RunOnce Create new schedule task
|__ LoopExec Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Clean Clean major browsers temporary files
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ SendMail Send Email using target domain
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Keystrokes Start\Stop remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Browser Capture browsers active tab title
|__ SocialMedia Capture FB + Twitter + whatsup + instagram keyboard keystrokes
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ WebCamAvi Capture video (AVI) using default webcam
|__ FindEop Search for EOP possible entry points sub-menu
|__ Check Retrieve directory permissions
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
|__ Agressive Search for all EOP possible entrys
|__ Escalate Escalate rev tcp shell privileges sub-menu
|__ GetAdmin Escalate client privileges (user->admin)
|__ Delete Delete getadmin module artifacts
|__ Uacpriv use RUNAS to spawn UAC (user->admin)
|__ CmdLine UAC execute command elevated
|__ Persist Persist rev tcp shell on startup sub-menu
|__ Beacon Persiste Client using startup
|__ ADSRUN Persiste Client using ADS:Run
|__ RUNONCE Persiste Client using REG:HKCU
|__ REGRUN Persiste Client using REG:HKLM
|__ Schtasks Persiste Client using Schtasks
|__ WinLogon Persiste Client using WinLogon
|__ TimeStamp Change remote host files timestamp
|__ Check Print current file timestamp
|__ Modify existing file timestamp
|__ Msstore Manage microsoft store programs
|__ List installed packets [local PC]
|__ Discover search for appl in msstore
|__ Install application from msstore
|__ Uninstall application from [local PC]
|__ Artifacts Clean remote host activity tracks sub-menu
|__ Query query eventvwr logs
|__ Clean clean system tracks
|__ Paranoid clean tracks paranoid ( anti-forensic )
|__ HiddenDir Super\hidden directorys manager sub-menu
|__ Search for regular hidden folders
|__ Super Search super hidden folders
|__ Create Create\Modify super hidden
|__ Delete One super hidden folder
|__ hideUser Remote hidden accounts manager sub-menu
|__ Query Query all accounts
|__ Create Create hidden account
|__ Delete Delete hidden account
|__ Passwords Search for passwords inside files sub-menu
|__ File Search for credentials recursive
|__ Putty Leak PUTTY session(s) credentials (regedit)
|__ Dpapi Dump DPAPI masterKeys + blobs
|__ Vault Dump creds from Password Vault
|__ WDigest Credential caching in memory [clear-text]
|__ Brower Web Brower credential dump [clear-text]
|__ DumpSAM Dump hashs from registry hives.
|__ BruteAcc Brute-force user account password
|__ Start Brute force user account password
|__ PhishCred Promp remote user for logon creds
|__ Start Phish for remote credentials
|__ AMSIpatch Disable AMS1 within current process sub-menu
|__ Console Disable AMS1 within current process
|__ FilePath Execute input script trough bypass
|__ PayloadUrl Download\Execute script trough bypass
|__ Exclusions Manage Windows Defender exclusions
|_ Query Query all windows defender exclusions
|_ Create Create a new windows defender exclusion
|_ UrlExec Download\Exec URI through created exclusion
|_ Delete Delete one windows defender exclusion
|__ LockPC Lock remote host WorkStation
|__ Restart Restart remote host WorkStation
|__ Allprivs EnableAllParentPrivileges to exec cmdline sub-menu
|__ demo EnableAllParentPrivileges to exec cmdline (demo)
|__ cmdline EnableAllParentPrivileges to exec cmdline (cmdline)
NetScanner Local LAN network scanner sub-menu
|__ ListDNS List remote host Domain Name entrys
|__ TCPinfo List remote host TCP\UDP connections sub-menu
|__ Stats Query IPv4 Statistics
|__ Query Established TCP connections
|__ Verbose Query all TCP\UDP connections
|__ ListWifi List remote host Profiles/SSID/Passwords sub-menu
|__ ListProf Remote-Host wifi Profile
|__ ListNetw List wifi Available networks
|__ ListSSID List Remote-Host SSID Entrys
|__ SSIDPass Extract Stored SSID passwords
|__ PingScan List devices ip addr\ports\dnsnames on Lan sub-menu
|__ Enum List active ip addresses on Lan
|__ PortScan Single ip port scanner \ dns resolver
|__ GeoLocate Client GeoLocation using curl ifconfig.me sub-menu
|__ GeoLocate Client GeoLocation using curl
|__ Ifconfig Client GeoLocation using ifconfig
Pranks Prank remote host modules sub-menu
|__ Msgbox Spawn remote msgbox manager
|__simple Spawn simple msgbox
|__cmdline msgbox that exec cmdline
|__ Speak Make remote host speak one frase
|__start speak input sentence
|__ OpenUrl Open\spawn URL in default browser
|__Open Url on default browser
|__ GoogleX Browser google easter eggs sub-menu
|__ gravity Open Google-Gravity webpage
|__ sphere Open Google-Sphere webpage
|__ rotate Open rotate 360º webpage
|__ mirror Open Google-Mirror webpage
|__ teapot Open Google-teapot webpage
|__ invaders Open Invaders-Game webpage
|__ pacman Open Pacman-Game webpage
|__ rush Open Google-Zerg-Rush webpage
|__ moon Open Google-Moon webpage
|__ Terminal Open Google-Terminal webpage
|__ trexgame Open Google-T-Rex-Game webpage
|__ kidscoding Open Google-kidscoding webpage
|__ googlespace Open Google-Space webpage
|__ WindowsUpdate Fake windows update full screen prank (browser)
|__ CriticalError Prank that fakes a critical system error (BSOD)
|__ BallonTip Show a ballon tip in the notification bar
|__ Nodrives Hide All Drives (C:D:E:F:G) From Explorer (GUI)
|__ LabelDrive Rename drive letter (C:) label (display name)
|__ List List ALL drives available
|__ Rename Rename drive letter label
Capture keyboard keystrokes from FACEBOOK, TWITTER, WHATSUP, INSTAGRAM (browser active tab)
Listing active TCP connections on remote host
Scanning OutLook for Email Objects
Record remote webcam in AVI format
Dump remote machine hashes
Dump remote machine DPAPI secrets
Dump all stored browsers credentials
Cleanning attacker system tracks ( anti-forensic )
File Name : meterpeter.ps1 ( server )
Scanner results:1% Scanner(s) (2/47) found malware!
report: https://www.virscan.org/report/8b5efcd871003109d21b23f19826149c91ca6f26108009a2b0f38a90fb220a17
Time: 2023-12-08 02:14:22 (CST)
File Name : Update-KB5005101.ps1 ( client )
Scanner results:0% Scanner(s) (0/46) found malware!
report: https://www.virscan.org/report/b12399a52b5064b063fef4f5740d4784a2e3bb587a32ab416d047c909d0b5fc9
Time: 2023-01-31 17:26:47 (CST)
Haxor NickName | Description |
---|---|
@ShantyDamayanti | Help debugging modules |
@DanielDurnea | Documentation\Software |
Published by r00t-3xp10it almost 2 years ago
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret keyand another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'. (in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload or the dropper) with administrator privileges, unlocks ALL C2 server modules (AMSI bypass + Execution_Policy bypass ).
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
This update fixes meterpeter.ps1 (server) and dropper (vbs format) flagging detection on execution (amsi).
A little bit of efford was put also on redesigning the server (meterpreter.ps1) menus \ submenus in a moresimplistic way. And review all Meterpeter C2 (server) indevidual modules for errors\bugs\fast_improvements.
Meterpeter Prompt | Module Name | Module Description | Module Options | State |
---|---|---|---|---|
:meterpeter:Adv> | Tasks | Manage remote schedule tasks | Check, Query, RunOnceLoopExec, Delete | new module (amsi bypass) |
:meterpeter:Adv:Processes> | kill | Kill processes | by processname or pid | new option added (pid) |
:meterpeter:Post> | Exclusions | Manage Windows Defender exclusions | Query, Create, UrlExec, Delete | new module |
:meterpeter:Post:Camera> | WebCamAvi | Capture video (AVI) using default webcam | RecTime (record time in seconds) | new module |
:meterpeter:Post> | passwords | Search for creds inside files recursive | Start | new module |
:meterpeter:Post> | DumpSAM | Dump LSASS, System, Security, Sam | Storage | new lsass dump technic |
:meterpeter:Post> | HiddenDir | Super\hidden directorys manager | Search, Super, Create, Delete | Server Sub-Menu missing fix |
:meterpeter:Netscanner> | PingScan | List devices ip addr\ports\dnsnames on Lan | Enum, PortScan, AddrScan | PingSendAsync() bugfix |
:meterpeter:Keylogger> | Mouse | record mouse clicks (psr) | *** | psr /output switch bugfix |
:meterpeter:Post> | dnsSpoof | Manage remote host file | *** | deleted - obsolect |
:meterpeter:Post> | SmbSpray | Smb password spray tool | start | deleted - amsi detected |
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running (processname or pid)
|__ Tasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ RunOnce Create new schedule task
|__ LoopExec Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ Filter SenderName objects <Info|Body>
|__ SendMail Send Email using target domain
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Keystrokes Start\Stop remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Browser Capture browsers active tab title
|__ Clipboard Capture strings\files copy to clipboard
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ WebCamAvi Capture video (AVI) using default webcam
|__ FindEop Search for EOP possible entry points sub-menu
|__ Check Retrieve directory permissions
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
|__ Agressive Search for all EOP possible entrys
|__ Escalate Escalate rev tcp shell privileges sub-menu
|__ GetAdmin Escalate client privileges
|__ Delete Delete getadmin artifacts
|__ CmdLine Uac execute command elevated
|__ Persist Persist rev tcp shell on startup sub-menu
|__ Beacon Persiste Client using startup
|__ CmdLine Uac execute command elevated
|__ ADSRUN Persiste Client using ADS:Run
|__ RUNONCE Persiste Client using REG:Run
|__ REGRUN Persiste Client using REG:Run
|__ Schtasks Persiste Client using Schtasks
|__ WinLogon Persiste Client using WinLogon
|__ TimeStamp Change remote host files timestamp
|__ Check Print current file timestamp
|__ Modify existing file timestamp
|__ Artifacts Clean remote host activity tracks sub-menu
|__ Query query eventvwr logs
|__ Clean clean system tracks
|__ Paranoid clean tracks paranoid ( anti-forensic )
|__ HiddenDir Super\hidden directorys manager sub-menu
|__ Search for regular hidden folders
|__ Super Search super hidden folders
|__ Create Create\Modify super hidden
|__ Delete One super hidden folder
|__ hideUser Remote hidden accounts manager sub-menu
|__ Query Query all accounts
|__ Create Create hidden account
|__ Delete Delete hidden account
|__ Passwords Search for passwords inside files sub-menu
|__ start Search for credentials recursive
|__ Dpapi Dump DPAPI masterKeys + blobs
|__ Vault Dump creds from Password Vault
|__ WDigest Credential caching in memory [clear-text]
|__ Brower Web Brower credential dump [clear-text]
|__ BruteAcc Brute-force user account password
|__ Start Brute force user account password
|__ PhishCred Promp remote user for logon creds
|__ Start Phish for remote credentials
|__ AMSIpatch Disable AMS1 within current process sub-menu
|__ Console Disable AMS1 within current process
|__ FilePath Execute input script trough bypass
|__ PayloadUrl Download\Execute script trough bypass
|__ DumpSAM Dump LSASS/SAM/SYSTEM/SECURITY metadata
|__ Exclusions Manage Windows Defender exclusions
|_ Query Query all windows defender exclusions
|_ Create Create a new windows defender exclusion
|_ UrlExec Download\Exec URI through created exclusion
|_ Delete Delete one windows defender exclusion
|__ LockPC Lock remote host WorkStation
|__ Restart Restart remote host WorkStation
|__ Allprivs EnableAllParentPrivileges to exec cmdline sub-menu
|__ demo EnableAllParentPrivileges to exec cmdline (demo)
|__ cmdline EnableAllParentPrivileges to exec cmdline (cmdline)
NetScanner Local LAN network scanner sub-menu
|__ ListDNS List remote host Domain Name entrys
|__ TCPinfo List remote host TCP\UDP connections sub-menu
|__ Stats Query IPv4 Statistics
|__ Query Established TCP connections
|__ Verbose Query all TCP\UDP connections
|__ ListWifi List remote host Profiles/SSID/Passwords sub-menu
|__ ListProf Remote-Host wifi Profile
|__ ListNetw List wifi Available networks
|__ ListSSID List Remote-Host SSID Entrys
|__ SSIDPass Extract Stored SSID passwords
|__ PingScan List devices ip addr\ports\dnsnames on Lan sub-menu
|__ Enum List active ip addresses on Lan
|__ PortScan Single ip port scanner \ dns resolver
|__ GeoLocate Client GeoLocation using curl ifconfig.me sub-menu
|__ GeoLocate Client GeoLocation using curl
|__ Ifconfig Client GeoLocation using ifconfig
Pranks Prank remote host modules sub-menu
|__ Msgbox Spawn remote msgbox manager
|__simple Spawn simple msgbox
|__cmdline msgbox that exec cmdline
|__ Speak Make remote host speak one frase
|__start speak input sentence
|__ OpenUrl Open\spawn URL in default browser
|__Open Url on default browser
|__ GoogleX Browser google easter eggs sub-menu
|__ gravity Open Google-Gravity webpage
|__ sphere Open Google-Sphere webpage
|__ rotate Open rotate 360º webpage
|__ mirror Open Google-Mirror webpage
|__ teapot Open Google-teapot webpage
|__ invaders Open Invaders-Game webpage
|__ pacman Open Pacman-Game webpage
|__ rush Open Google-Zerg-Rush webpage
|__ moon Open Google-Moon webpage
|__ Terminal Open Google-Terminal webpage
|__ trexgame Open Google-T-Rex-Game webpage
|__ kidscoding Open Google-kidscoding webpage
|__ googlespace Open Google-Space webpage
|__ CriticalError Prank that fakes a critical system error (BSOD)
|__ Nodrives Hide All Drives (C:D:E:F:G) From Explorer (GUI)
|__ LabelDrive Rename drive letter (C:) label (display name)
|__ List List ALL drives available
|__ Rename Rename drive letter label
Listing active TCP connections on remote host
Scanning OutLook for Email Objects
Record remote webcam in AVI format
Cleanning attacker system tracks ( anti-forensic )
File Name : meterpeter.ps1 ( server )
Scanner results:1% Scanner(s) (2/46) found malware!
report: https://www.virscan.org/report/b5331541a9bc894a9e2e1b496a07fa01cb74e77819b3f51a9c099c0eca630790
Time: 20223-05-01 17:22:01 (CST)
File Name : Update-KB5005101.ps1 ( client )
Scanner results:0% Scanner(s) (0/46) found malware!
report: https://www.virscan.org/report/b12399a52b5064b063fef4f5740d4784a2e3bb587a32ab416d047c909d0b5fc9
Time: 20223-05-01 17:22:01 (CST)
Haxor NickName | Description |
---|---|
@ShantyDamayanti | Help debugging modules |
@DanielDurnea | Documentation\Software |
@AHLASaad | Documentation\Software |
Published by r00t-3xp10it over 2 years ago
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret keyand another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'. (in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload) with admin privileges, unlocks ALL C2 server modules (AMSI + Execution_Policy bypasses). Droppers mimic a 'fake KB Security Update'If executed, while in background downloads\executes the client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
This version release update fixes AMSI detection in meterpeter main script ( meterpeter.ps1 ) , in payload source code ( reverse tcp shell - Update-KB5005101.ps1 )
and in some of meterpeter modules, it also comes with a redesigned menu style ( more user friendly ) and many of the existing modules have also been updatedEither to bypass AV detection, to update module (functions) or simple to improve module console output displays.
Meterpeter Prompt | Module Name | Module Description | Module Options | State |
---|---|---|---|---|
:meterpeter> | Session | Meterpeter C2 connection status report updated | Session | updated |
:meterpeter:adv> | Browser |
Safari\Brave browsers added to browsers list |
Start | updated |
:meterpeter:adv> | Browser | verbose enumeration added to module | verbose | updated |
:meterpeter:adv> | Browser | Enumerate installed browsers addons | addons | new |
:meterpeter:adv> | Drives | List remote host mounted drives updated | Start | updated |
:meterpeter:adv> | AntiVirus | Enumerate EDR products + Security processes running | Primary | FastScan | Verbose | updated |
:meterpeter:adv> | OutLook | Manage remote host OutLook Exchange Email Objects | Folders | Contacts | Emails | Filter | SendMail | new |
:meterpeter:post> | DumpLsass | temporary AMSI bypass => Delete lsass dump function | Dumps Sam,System,Security metadata | bypass av |
:meterpeter:post> | AMSIpatch | Disable AMS1 within current process | Console | FilePath | PayloadUrl | new |
:meterpeter:post> | SMBspray | Local LAN SMB protocol password spray attack | Start | new |
:meterpeter:post> | Camera | Capture remote webcam snapshots | snapshot | device | bypass av |
:meterpeter:post> | Allprivs | EnableAllParentPrivileges to exec cmdline | demo | cmdline | new |
:meterpeter:pranks> | Criticalerror | Prank that fakes a critical system error (BSOD) | Criticalerror | new |
:meterpeter:pranks> | Googelx | New google-space easter egg added to list | googlespace | updated |
:meterpeter:keylogger> | Start | Capture remote host keystrokes in background | Start | Stop | bypass av |
:meterpeter:keylogger> | PasteBin | Send keylogger keystrokes to sellected pastebin account | PasteBin | new |
Module Name Module Description
----------------------- ----------------------
info Retrieve remote host system information
session Retrieve Meterpeter C2 connection status
advinfo Advanced system information sub-menu
|__ accounts List remote host accounts
|__ revshell List client rev tcp shell information
|__ ListAppl List remote host installed applications
|__ Processes Remote host processes sub-menu
|__ Check List remote processe(s) running
|__ Query Process name verbose information
|__ DllSearch List DLLs loaded by processes
|__ Kill Kill remote process from running
|__ ListTasks Enumerate schedule tasks sub-menu
|__ Check Retrieve Schedule Tasks
|__ Query Retrieve single task information
|__ Create Create new schedule task
|__ Delete Delete existing schedule task
|__ Drives List all remote host mounted drives
|__ Browser List remote host installed browsers sub-menu
|__ Start Enumerate remote browsers\versions installed
|__ Verbose Verbose enumerate remote browsers installed
|__ Addons Enumerate installed browsers addons installed
|__ Recent List remote host recent directory
|__ ListSMB List remote host SMB names\shares
|__ StartUp List remote host startUp directory
|__ ListRun List remote host startup run entrys
|__ AntiVirus Enumerate all EDR Products installed sub-menu
|__ Primary PrimaryAV + Security processes
|__ FastScan PrimaryAV + Security processes + EDR hunt
|__ Verbose Full scan module ( accurate\slower )
|__ OutLook Manage OutLook Exchange Email Objects sub-menu
|__ Folders Display outlook folder names
|__ Contacts Display outlook contacts info
|__ Emails Display outlook email objects
|__ Filter SenderName objects <Info|Body>
|__ SendMail Send Email using target domain
|__ FRManager Manage remote host firewall rules sub-menu
|__ Query Query 'active' firewall rules
|__ Create Block application\program rule
|__ Delete Delete sellected firewall rule
upload Upload from local host to remote host
|__ start Upload from lhost to rhost
download Download from remote host to local host
|__ start Download from rhost to lhost
Screenshot Capture remote host desktop screenshots sub-menu
|__ Snapshot Capture one desktop screenshot
|__ SpyScreen Capture multiple screenshots (background)
keylogger Install remote host keylogger sub-menu
|__ Mouse Start remote mouselogger
|__ Start Start remote keylogger
|__ Pastebin Send keystrokes to pastebin
|__ Stop Stop keylogger Process(s)
PostExploit Post Exploitation modules sub-menu
|__ Stream Stream remote host desktop live
|__ Start Stream target desktop live
|__ Camera Take snapshots with remote webcam sub-menu
|__ Device List all available WebCamera Devices
|__ Snapshot Auto use of default webcam to take snapshot
|__ FindEop Search for EOP possible entry points sub-menu
|__ Agressive Search for all EOP possible entrys
|__ Check Retrieve directory permissions
|__ WeakDir Search weak permissions recursive
|__ Service Search for Unquoted Service Paths
|__ RottenP Search For rotten potato vuln
|__ RegACL Insecure Registry Permissions
|__ Escalate Escalate rev tcp shell privileges sub-menu
|__ GetAdmin Escalate client privileges
|__ Delete Delete getadmin artifacts
|__ CmdLine Uac execute command elevated
|__ Persist Persist rev tcp shell on startup sub-menu
|__ Beacon Persiste Client using startup
|__ CmdLine Uac execute command elevated
|__ ADSRUN Persiste Client using ADS:Run
|__ RUNONCE Persiste Client using REG:Run
|__ REGRUN Persiste Client using REG:Run
|__ Schtasks Persiste Client using Schtasks
|__ WinLogon Persiste Client using WinLogon
|__ TimeStamp Change remote host files timestamp
|__ Modify existing file timestamp
|__ Artifacts Clean remote host activity tracks sub-menu
|__ Query query eventvwr logs
|__ Clean clean system tracks
|__ Paranoid clean tracks paranoid ( anti-forensic )
|__ HiddenDir Super\hidden directorys manager sub-menu
|__ Search for regular hidden folders
|__ Super Search super hidden folders
|__ Create Create\Modify super hidden
|__ Delete One super hidden folder
|__ hideUser Remote hidden accounts manager sub-menu
|__ Query Query all accounts
|__ Create Create hidden account
|__ Delete Delete hidden account
|__ Passwords Search for passwords in txt, logs sub-menu
|__ Auto Auto search recursive
|__ Manual Input String to Search
|__ BruteAcc Brute-force user account password
|__ Start Brute force user account password
|__ SMBspray SMB protocol password spray attack
|__ Start SMB proto password spray attack
|__ PhishCred Promp remote user for logon creds
|__ Start Phish for remote credentials
|__ Dnspoof Hijack dns entrys in hosts file sub-menu
|__ Check Review hosts File contents
|__ Spoof Add Entrys to hosts file
|__ Default Defaults the hosts File
|__ AMSIpatch Disable AMS1 within current process sub-menu
|__ Console Disable AMS1 within current process
|__ FilePath Execute input script trough bypass
|__ PayloadUrl Download\Execute script trough bypass
|__ DumpSAM Dump SAM/SYSTEM/SECURITY raw creds
|__ PtHash Pass-The-Hash ( PS remote auth )
|__ LockPC Lock remote host WorkStation
|__ Restart Restart remote host WorkStation
|__ Allprivs EnableAllParentPrivileges to exec cmdline sub-menu
|__ demo EnableAllParentPrivileges to exec cmdline (demo)
|__ cmdline EnableAllParentPrivileges to exec cmdline (cmdline)
NetScanner Local LAN network scanner sub-menu
|__ ListDNS List remote host Domain Name entrys
|__ TCPinfo List remote host TCP\UDP connections sub-menu
|__ Stats Query IPv4 Statistics
|__ Query Established TCP connections
|__ Verbose Query all TCP\UDP connections
|__ ListWifi List remote host Profiles/SSID/Passwords sub-menu
|__ ListProf Remote-Host wifi Profile
|__ ListNetw List wifi Available networks
|__ ListSSID List Remote-Host SSID Entrys
|__ SSIDPass Extract Stored SSID passwords
|__ PingScan List devices ip addr\ports\dnsnames on Lan sub-menu
|__ Enum List active ip addresses on Lan
|__ PortScan Lan port scanner \ domain resolver
|__ AddrScan Single ip port scanner \ dns resolver
|__ GeoLocate Client GeoLocation using curl ifconfig.me sub-menu
|__ GeoLocate Client GeoLocation using curl
Pranks Prank remote host modules sub-menu
|__ Msgbox Spawn remote msgbox manager
|__simple Spawn simple msgbox
|__cmdline msgbox that exec cmdline
|__ Speak Make remote host speak one frase
|__start speak input sentence
|__ OpenUrl Open\spawn URL in default browser
|__Open Url on default browser
|__ GoogleX Browser google easter eggs sub-menu
|__ gravity Open Google-Gravity webpage
|__ sphere Open Google-Sphere webpage
|__ rotate Open rotate 360º webpage
|__ mirror Open Google-Mirror webpage
|__ teapot Open Google-teapot webpage
|__ invaders Open Invaders-Game webpage
|__ pacman Open Pacman-Game webpage
|__ rush Open Google-Zerg-Rush webpage
|__ moon Open Google-Moon webpage
|__ kidscoding Open Google-kidscoding webpage
|__ googlespace Open Google-Space webpage
|__ CriticalError Prank that fakes a critical system error (BSOD)
|__ Nodrives Hide All Drives (C:D:E:F:G) From Explorer (GUI)
Meterpeter C2 session command
Enumerating EDR products and security processes running
Scanning OutLook for Email Objects
Searching for Escalation Of privileges possible entrys ( Sherlock.ps1 + findEop.ps1+ ACLMitreT1574.ps1 )
Enumerating remote host running tasks
Cleanning attacker system tracks ( anti-forensic )
File Name : meterpeter.ps1 ( server )
Scanner results:5% Scanner(s) (3/51) found malware!
report: https://r.virscan.org/language/en/report/8c0ce63fb15d2a5823ba1cb22a9065ab
Time: 2022-05-02 23:22:01 (CST)
File Name : Update-KB5005101.ps1 ( client )
Scanner results:0% Scanner(s) (0/51) found malware!
report: https://r.virscan.org/language/en/report/5c16a0c6be2fe39f582181efed4c5f5a
Time: 2022-04-29 04:14:59 (CST)
Haxor NickName | Description |
---|---|
@ShantyDamayanti | Help debugging modules |
@AHLASaad | Help debugging modules |
@RicardoAlves | Report of AVG+AVAST detection |
Published by r00t-3xp10it almost 3 years ago
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret keyand another layer of Characters/Variables Obfuscation to be executed on target machine. You can also recive the generated reverse tcp shell connection via 'netcat'. (in that case you will lose C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, Escalation-Of-Privileges, Stream Target Desktop,)
Executing the client (payload) with admin privileges, unlocks ALL C2 server modules (AMSI + Execution_Policy bypasses). Droppers mimic a 'fake KB Security Update'If executed, while in background downloads\executes the client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( Please dont Test\Send samples to Virus_Total\similar_websites or to $Microsoft Cloud suspicious.amsi samples )
Module Name | Issue | Update |
---|---|---|
Info | Get more information about target system (UserAccouts,RegisteredUser,BootUpTime,etc) | Automated Internal Function Update |
Meterpeter C2 Attack Vector | TinyUrl API implementation ( obfuscate the url dropper link ) | Automated Internal Function Update |
Meterpeter C2 sub-menus | Sub-menus displays redesigned ( more clean console outputs ) | Sub-Menus displays redesigned |
Advinfo -> PingSweep | Enumerate \ Scan active ip address on Local Lan \ Simple Port Scanner | New Module |
Advinfo -> GetBrowsers | AMSI string flagging detection on cmdlet auto-download \ execution | AMSI string detection bypass |
AdvInfo -> FRManager | Silencing microsoft defender using firewall rules (SilenceDefender_ATP.ps1) | New Module |
AdvInfo -> GeoLocate | Client (payload-target) geo location and public ip address resolver | New Module |
PostExploit -> Sherlock | Added to PostExploit -> FindEop ( search for escalation of privileges entrys ) | New Module |
PostExploit -> GetAdmin | Replaced old (CMSTP) AMSI DLL bypass technic by (@Oddvar_Moe) SendKeys | AMSI string detection bypass |
PostExploit -> Escalate | Post -> Escalate -> CmdLine ( Spawn UAC gui to run cmdline elevated ) | New Module |
PostExploit -> CleanTracks | LNK artifacts search updated to include even more locations | LNK artifacts search updated |
PostExploit -> hiddendir | Query \ Create \ Delete super hidden system folders | New Module |
Dropper Id 2 ( HTA ) | AMSI string flagging detection on hta Build \ Download | AMSI string detection bypass |
Dropper Id 3 ( EXE ) | Auto-set-PS-execution-policy-to-unrestricted \ Binary.exe suspicious.amsi bypass | Source Code Updated |
Stream Target Desktop Live
Elevate session from UserLand to Adminstrator
Enumerating remote host installed browsers\versions
Simple ICMP\TCP builtin port scanner
Searching for Escalation Of privileges possible entrys ( Sherlock.ps1 + findEop.bat + ACLMitreT1574.ps1 )
Enumerating remote host running tasks
Cleanning attacker system tracks ( anti-forensic )
Published by r00t-3xp10it about 3 years ago
This PS1 starts a listener server on a 'Windows|Linux' attacker machine and generates PS reverse tcp shell payloads obfuscated in 'BXOR' with a random secret key and another layer of Characters/Variables Obfuscation to be executed on target machine (The payload executes AMSI reflection bypass in current session to evade detection while working) You can also recive the generated reverse tcp shell connection via 'netcat'. ( in that case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploit, etc ).
Meterpeter payloads/droppers can be executed with 'User' or 'Administrator' privileges, depending of the cenario ( executing the client as administrator will unlock ALL server modules, AMSI + ExecutionPolicy bypasses, etc. ) Droppers mimic a 'fake KB Security Update' while in background download\executes client.ps1 in '$Env:TMP' trusted location, with the intent of evading Windows Defender + Exploit Guard.
Remark: Meterpeter payloads | droppers are FUD ( please dont test\send samples to virustotal\similar_websites or $microsoft team )
This version update fixes anti-virus windows defender 'AMSI' flagging detection on 'meterpeter.ps1' main script, fixes script internal bugsand presents two new payload droppers ( HTA | EXE ) to chose from when running the meterpeter (server) to build the reverse tcp shell.
Dropper FileName | Format | AV Detection | Execution |
---|---|---|---|
Update-KB5005101.bat | Batch | Undetected | PS ExecutionPolicy bypass + Social Engineering cmdline (mimimized prompt) |
Update-KB5005101.hta | HTA | Undetected | PS ExecutionPolicy bypass + Social Engineering msgbox (background prompt) |
Update-KB5005101.exe | EXE | Suspicious | uac (admin) \ nouac (user) + Social Engineering msgbox (background prompt) |
Module | Description | issue | Status | issue |
---|---|---|---|---|
meterpeter.ps1 | Main script execution | Flagged by AMSI string detection | Fixed | ******** |
Post -> Escalate | Escalation of privileges using SLUI.exe | Flagged by AMSI string detection | _NEW_EOP_ |
SLUI.exe |
Post -> Browsers | Enumerate browsers installed | does not diplay outputs + opera add | Fixed | ******** |
Post -> ListDir | Recursive search for hidden directorys | Query search function updated | update |
******** |
Post -> SetMace | Change RemoteHost File TimeStamp | missing function in sourcecode | Fixed | ******** |
Post -> Pthash | Pass-The-Hash (Lateral Movement) | missing function in sourcecode | Fixed | ******** |
Post -> Stream | Stream target desktop (MJPEG) | new post-exploitation module | _NEW_ |
******** |
Post -> OpenUrl | Open URL in default browser | new post-exploitation module | _NEW_ |
******** |
Post -> Artifacts | Delete target system artifacts + eventvwr | new post-exploitation module | _NEW_ |
******** |
Post -> MsgBox | Spawn remote msgbox that exec cmdline | new post-exploitation module | _NEW_ |
******** |
Post -> HideUser | Hidden accounts manager (Workstation) | new post-exploitation module | _NEW_ |
******** |
keylogger-> Mouse | Capture mouse clicks screenshots | new post-exploitation module | _NEW_ |
******** |
AdvInfo -> CredPhi | leak user account creds (LanManServer) | validation againts DC bug | workaround |
******** |
AdvInfo -> ListAcc | List user accouts | does not display outputs (stdout) | Fixed | ******** |
AdvInfo -> ListSID | List user accouts SID | does not display outputs (stdout) | Fixed | ******** |
AdvInfo -> ListSMB | List SMB accouts | does not display outputs (stdout) | Fixed | ******** |
AdvInfo -> Task | search for schedule tasks running | does not display outputs (stdout) | Fixed | schtasks |
webserver | fake update download webpage | new meterpeter download method | _NEW_ |
******** |
meterpeter v2.10.10 auto-stores all files in meterpeter webroot and delivers droppers\payloads using a fake software update webpage that spawn 'Update-KB5005101.ZIP' before redirect us to the real catalog microsoft webpage. Attackers can also deliver 'dropper.ZIP' insted of using the fake software webpage (default).For that just send the follow URL to target: http://<attacker-ipaddr>:8087/Update-KB5005101.zip
to trigger meterpeter dropper\payload silent download\execution.
Published by r00t-3xp10it over 3 years ago
:octocat: Project Description
meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ASCII | BXOR with a random secret key and another layer of Characters-Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also receive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)
:octocat: Version v2.10.8 - Update Description
This update fixes anti-virus windows defender AMSI String flagging detection on 'meterpeter.ps1' main script and in 'Screenshot function'.The follow modules have been modified to bypass detection: 'CredsPhish.ps1', 'DarkRcovery.exe', 'Keylogger.ps1' and 'GetBrowsers.ps1'.
:octocat: Project Quick Jump Links
:octocat: Repairing Bug Reports (issues)
Module | Description | issue | Status |
---|---|---|---|
meterpeter.ps1 | Main script | Flagged by AMSI String Detection | Fixed |
Keylogger.ps1 | Capture system keystrokes | Flagged by AMSI String Detection | Fixed |
GetBrowsers.ps1 | Enumerate Installed Browsers | Flagged by AMSI String Detection | Fixed |
CredsPhish.ps1 | Spawn user for valid credentials | Flagged by AMSI String Detection | Fixed |
DarkRcovery.exe | Dump browsers credentials | Flagged by AMSI String Detection | Still Flagging Detection |
📟 ⚡ meterpeter - v2.10.3 release - Video Tutorial (Under Windows Distro) ⚡ 📟
Published by r00t-3xp10it over 4 years ago
:octocat: Project Description
meterpeter - This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in ASCII | BXOR with a random secret key and another layer of Characters-Variables Obfuscation to be executed on the victim machine (The payload will also execute AMSI reflection bypass in current session to evade AMSI detection while working). You can also recive the generated oneliner reverse shell connection via netcat. (in this case you will lose the C2 functionalities like screenshot, upload, download files, Keylogger, AdvInfo, PostExploitation, etc)
:octocat: Project Quick Jump Links
:octocat: Server Automatic Completion Of Settings
meterpeter C2 Now allow users to skip most of Server inputs, We just need to leave the 'input empty'
[press enter] that meterpeter will auto-compleat the Inputs with 'recomended' settings (If Available).
:octocat: Improving (Server) Output Displays
Module | Description | Wiki Pages |
---|---|---|
CamSnap | Manipulate Remote WebCam Function Output Displays Review/Improved | wiki CamSnap |
GetSystem | Escalate Privileges Function Output Displays Review/Improved | wiki GetSystem |
Beacon | Beacon Persistence Function Output Displays Review/Improved | wiki Beacon |
Dnspoof | Dnspoof Sub-Menu Function Output Displays Review/Improved | wiki Dnspoof |
ListPriv | ListPriv Sub-Menu Function Output Displays Review/Improved | wiki ListPriv |
ListTask | ListTask Sub-Menu Function Output Displays Review/Improved | wiki ListTask |
:octocat: Repairing Bug Reports (issues)
Module | Description | issue | Wiki |
---|---|---|---|
Beacon | Persistence Module now beacons home from xx to xx sec (set by attacker)This allow attacker to have a better change to grab the rev connection | issue 2 | wiki |
Download | Function Review/Improved to allow empty spaces in remote path inputsThe use of single quotes its a requirement for this fix to work remotelly | issue 3 | |
Upload | Function Review/Improved to allow empty spaces in remote path inputsThe use of single quotes its a requirement for this fix to work remotelly | issue 3 |
:octocat: Recent Updates to New|Existing Modules
Module | Description | Commit |
---|---|---|
Settings | New module to help attacker to remember active Server/Client settings
|
commit |
DumpSam | Function Review/Improved to dump also security LSA secrets (Remote) |
commit |
Beacon | Persistence function updated to write Server/Client settings logfile (Locally)This allows the attacker to store the settings from the previous day(s) |
commit |
RegACL | Search for weak Service Permissions on Registry added to ListPriv (Menu) |
commit |
ListDriv | Module Updated to Display also the drives found Used and Free space |
commit |
CredPhi | Module for phishing remote credentials using Windows PromptForCredential |
commit |
Manual | Manual sellection of target webcam device Name | commit |
📟 ⚡ meterpeter - v2.10.3 Dev release - Video Tutorial (Under Windows Distro) ⚡ 📟