Bringing Metasploit Exploits to Life with PowerShell

You have a remote shell to a Windows box in Metasploit, very cool, but what can you do? Granted Metasploit is loaded with features, options and tons of post modules (which are all amazing by the way), but what if you want to do something a bit more custom? Say, like adding custom pop-ups and even voice, but you have no clue about programming in Ruby.

How about PowerShell?

Let me start this out by saying I am no programmer. Sure I have futzed around with various languages over the years, and even supervised programmers at a couple jobs – but trust me, I am not a programmer. Secondly, I never would have been able to do this without one of the Metasploit gods – Mubix over at Thanks Mubix!

Talking with a friend about exploit capabilities, we came up the thought that wouldn’t it be cool if when a machine was exploited during a red team pentest, if it would pop up a Windows error message on the screen saying, “Knock, Knock Neo.” You know, from the Matrix movie.

And wouldn’t it be cool if you could get the computer to speak to said victim in a woman’s voice saying the same thing? What if, as long as we are custom creating our Matrix-ish payload, we also wanted to pop up a picture on the target system of the green text filled Matrix screen? I mean wouldn’t that be cool too?

Well, with PowerShell, you can!

If you look at Mubix’s “Powershell Popups + Capture” article, you can see the step-by-step process that we will follow.

Create a text file containing the Powershell commands, I used something like this:

$shell = New-Object -ComObject “Shell.Application”;
Start-Sleep -s 2;
[System.Windows.Forms.MessageBox]::Show(“Knock, knock, Neo.” , “Status” , 2);
(New-Object –ComObject SAPI.SPVoice).Speak(“Knock, Knock Knee Oh, the Matrix has you!”);

The first two lines allow the script to clear the user’s screen by minimizing all open windows. We then pause the script for a couple seconds for dramatic effect. The next two lines pop up a Windows (Abort, Retry, Ignore) message box with the movie message, “Knock, Knock Neo.”

Once the user clicks on one of the message box buttons, the script calls the Windows built in text to speech capabilities to audibly speak the same message out of their speakers. Sometimes the words don’t come out exactly like they should so you need to help the Windows voice API by using slightly different, but similar sounding words (ex. “Knee Oh” instead of “Neo”).

The final command opens a Matrix .jpg file that we would need to have already uploaded to the system via the Meterpreter upload command. (Pick a big one that fills the screen!)

We need to take the text file and encode it as Mubix’s site shows:

PowerPoint Text to Speech

Then run the following command in our remote shell, adding in the encoded text stream above:

powershell -ep bypass -enc <Paste in the Encoded Text>

And that is it!

Powershell Message Box

One more step that would make this even more creepy (or visually convincing in a red team pentest) would be to use Meterpreter’s built in webcam capability to first snap a picture of the remote user at his computer, upload that picture to their system in place of the matrix.jpg, and then run the command for a more personalized message from “the Matrix”!

Best defense against these types of attacks is to never, ever open or run unexpected files or attachments in e-mails. Never use a USB drive that you find laying around your company. Avoid public Wi-Fi when possible. Finally, always use a script blocking program on your internet browser.

Watch_Dogs “We are Data” – Creepy Cool Big Brother Interactive City Map


If you don’t visit any websites today, take the time and visit this one: We Are Data and prepared to be amazed (and totally creeped out)!

According to Ubisoft’s website, in the video game “Watch_Dogs”, Chicago is a smart city where data is used to solve all sorts of complex city problems. To show the amount of real data that is actually available now, they made a big brotherish type website where you can view data from three major cities, in real time. The data is then placed in it’s location on an interactive map.

Watch_Dogs WeareData gathers available geolocated data in a non-exhaustive way: we only display the information for which we have been given the authorization by the sources. Yet, it is already a huge amount of data. You may even watch what other users are looking at on the website through Facebook connect.

You first select a city, then you can select on a blue diamond that gives an exact location in the city. You are then zoomed into an overhead map where you can see traffic lights, ATMs, mobile network locations, etc. Kind of cool, but the creepy factor jumps up as you also see live tweets and other social media information. You can click on the social media icons and see actual posts from people in that area!


This really makes you think, if a video game company can pull this off, what can other organizations do that have different agendas? Imagine an interactive map that provides actual cell phone user data. Or if clicking on the CCTV video icons actually showed you the video from the location.

Sound far fetched?

It really isn’t. What if an interactive map pulled in live cell user data, say from one of those fake cell towers (or from planes) you hear about? Open or easily hacked webcams and CCTV video camera interfaces could be added – ever hear of Shodan? Heck, vulnerable routers or again easily hacked ones could also be made available.

Sadly as a high-tech society, we share way to much information electronically. We also give up a lot of electronic security in the name of convenience. In doing so, we have made big brother type scenarios an actual possibility!

The best thing we can do is make sure our devices are secured and encrypted. Turn off any Geo-Location information, and set privacy features when using social media. Never leave network devices set to the default credentials. And finally, never trust public Wi-Fi!

Don’t Trust your Router “Update” Feature

With all the news of router exploits and compromised units being used by hacker groups for attacks, make sure you include installing router firmware updates as part of your scheduled maintenance routine. Just don’t trust the built in “Update” feature…

One top name router I was working with yesterday needed updating. I went into the router admin screen and dutifully checked the “Check for Update” button. Good news – the router checked the manufacturer’s site and was using the latest firmware!

But it wasn’t…

I knew the manufacturer had just released a new critical firmware update. Doing a manual check on the support site verified my suspicion – the currently installed version was several months and several revisions old! If I believed that the router was using the current one, it would have remained vulnerable!

Sometimes router updates are not set as the latest version on the manufacturer’s update server. Check your firewall/routers/ Wi-Fi devices manually and make sure they are using the latest and greatest firmware. Also, never leave default credentials set on these devices, especially internet facing ones – use long complex passwords.


Making your Computer talk with PowerShell

text to speech

I’ve been playing around a bit with Microsoft’s built in text to speech capability, and if you haven’t seen it, it really is fun to play with. Windows has had the capability to do text to speech for a while, Windows 7 comes with a female voice named “Anna”, while Windows 8 has the capability to use several different voices (and languages I think).

It is extremely easy to try this out in PowerShell. Simply open Powershell on your computer and type in the following line:

(New-Object –ComObject SAPI.SPVoice).Speak(“This is a test”)

Your computer will immediately speak whatever text is in the parenthesis.

Sometimes the words don’t come out quite right, so you need to do a little bit of phonetic-eze to get them to sound better, like so:

(New-Object -ComObject SAPI.SPVoice).Speak(“Owh Nohs I have been hackered by the North Koreans”)

Or the ever famous:

(New-Object -ComObject SAPI.SPVoice).Speak(“You can’t connect to the inter net? it must be a Chinese a- Pea Tea”)

For more information and how to access the multiple voices in Windows 8, check out this excellent blog article.