-
Notifications
You must be signed in to change notification settings - Fork 17
Backdoor Commands
Swiftb0y edited this page Sep 16, 2017
·
1 revision
Try to kill the given remote process
Try to kill the remote client
This remote Powershell method calls "core_create_proc" in order to create a
remote process
The response is handled by "handler_client_core_create_proc()"
Print a list of processes managed by the remote client
Start a shell inside the target computer
Prints out everything on target through HID keyboard. Be sure
to set the correct keyboard language for your target (use
'GetKeyboardLanguage' and 'SetKeyboardLanguage' commands.).
usage: FireStage1 <trigger_type> <trigger_delay in milliseconds> [nohide] [uac]
Fires stage 1 via HID keyboard against a PowerShell process
on a Windows client.
The code downloads stage 2 and after successful execution
commands like "shell" could be used, to get a remote shell
(communicating through HID covert channel only).
THE KEYBOARD LANGUAGE HAS TO BE SET ACCORDING TO THE TARGETS
KEYBOARD LAYOUT, TO MAKE THIS WORK (use 'GetKeyboardLanguage'
and 'SetKeyboardLanguage' commands.)
trigger_type = 1 (default):
Is faster, because less keys have to be printed out. As the
PowerShell script isn't capable of reading serial and
manufacturer of a USB HID composite device, PID and VID have
to be perpended in front of the payload. This leaves a larger
footprint.
trigger_type = 2:
Is slower, because around 6000 chars have to be printed to
build the needed assembly. There's no need to account on PID
and VID, as the code is using the device serial "deadbeef
deadbeef" and the manufacturer "MaMe82". These are hardcoded
in the assembly, and leave a smaller footprint (not ad-hoc
readable, if powershell script content is logged).
trigger_delay (default 1000):
The payload is started by running powershell.exe and directly
entering the script with HID keyboard.
This part is critical, as if keystrokes get lost the initial
stage won't execute. This could be caused by user interaction
during stage 1 typeout or due to PowerShell.exe starting too
slow and thus getting ready for keyboard input too late.
The latter case could be handled by increasing the trigger delay,
to give the target host more time between start of powershell
nd start of typing out stage1.
The value defaults to 1000 ms if omitted.
nohide
If "nohide" is added, the setup hiding the powershell window on
the target is omitted
uac
If "uac" is added P4wnP1 tries to run an elevated PowerShell
session homing the payload.
Caution: The target user has to be member of the "Local
Administrators" group, otherwise this would fail.
The option is disabled by default.
Shows which language is set for HID keyboard.
Interact with processes on the target
Usage: Interact <process ID>
use GetClientProcs for target process IDs
Exit the Backdoor payload to the pi's command-line
See details about the target computer
If the client is connected, command arguments given should be reflected back.
Communications happen through a pure HID covert channel.
Deploys a pre-compiled Ducky script saved in P4wnP1/duckyscrips/
Change directory on the Pi
Print the name of the Pi's current directory
Print the contents of the Pi's current directory
Print the target's current directory
List contents of the target's current directory
Change the target's current directory
Upload a file from the Pi to the target
Usage: upload <Pi/directory.filetype> <target/directory.filetype>
Download a file from the Pi to the target
Usage: download <target/directory.filetype> <Pi/directory.filetype>
undocumented for now