- Starts Command prompt as Administrator
- Run a powershell script which self-creates/opens a metasploit payload seemlessly
- Exits letting down everything as it was at the beginning
- Maximum running time: 30 seconds (+- 5 seconds <--> dependent);
- Exposed time: 15 seconds (means in 50% of time since plugging in the Digispark, the screen will have movement)
The Digispark once it is plugged in will take 5 seconds for the bootloader, and starts its job when the second led lights up, it will first open CMD as administrator using the start menu and create a new file which will be used to trigger the attack and open the shell. There is another way to open CMD as administrator, which is using the run prompt and running this command: "powershell Start-Process cmd -Verb runAs" but it showed that it takes much time to open the powershell prompt. If you desire to use this method (cmd_2) refer to the comments in the code.
- You can reduce the running time by 5-8 seconds by tricking the bootloader, visit this page for more.
- The powershell script features a 6 seconds screensaver to hide the backdooring process, we will make it possible to disable/enable in the future.
- If the keyboard layout of the target machine is not in QWERTY/English you can use the bash script on a linux machine to convert text from AZERTY <--> QWERTY and vice versa.
Found that my metasploit just sat at "Meterpreter shell 1 opened at....". This could be because it attempts to automatically run the smart_migrate module upon connection. All I did to resolve this was to hit enter to get the msf prompt back, and then connect into the meterpreter session and run smart_migrate automatically.
Smart_migrate can be found at
post/windows/manage/smart_migrate
in the metasploit trunk. Although, be warned - smart_migrate automatically attempts to migrate into explorer.exe which ##DOES NOT## have an administrative privileges. So, you'll have to utilise the post modules to grant yourself admin and eventually even SYSTEM (If you want to dump firefox/chrome/IE passwords, hashes or use mimikatz or WCE to get the wDigest passwords from memory). I'd recommend the bypass_uac or ask modules to grab yourself admin - particularly ask in lower security environments.
If you're concerned about remaining undetected on the machine you've got the shell on, then I recommend the following steps:
-
Delete tmp.cmd from %TEMP% - You don't want to come back to bite you on the ass once you're done with the machine.
-
Kill the powershell.exe process once you've migrated out of it.
Hope you all enjoy! I know many of you will find good use of this, and as always - use responsibly!