View Full Version : HID attacks using metasploit's psh_web_delivery instead of Powersploit

2015-01-11, 01:23
Powersploit is an excellent tool but I have found it to be less then reliable when dealing with 64-bit systems (at least with Net Hunter and the HID attack) and when using the powersploit payload for the HID attack you are required to have either Apache running on your net hunter device and hope the target network does not have client separation to prevent the victim from pulling powershell code off your net hunter device or push your own powersploit payload to a server for it to be pulled down from. The problem with this is you can potentially have to spin up two servers to serve up the payload and then receive a connect back shell. A more efficient and flexible option is to use powershell to pull down shellcode from metasploit's exploit/windows/misc/psh_web_delivery and then pass the URL it serves up to Net Hunter to download and run via IEX as you would any powershell payload. The main advantage of this is all outbound traffic goes to only one server (the server that would receive the connect back that would be serving up the payload via a different MSF module) and you can potentially serve payloads other then meterpreter (any powershell code really).

2015-01-21, 03:15
I find this idea very interesting. I would love to give a test out when I get some time.

2015-01-22, 20:53
I can confirm that this vector does work on windows 8.1 using exploit/multi/script/web_delivery and meterpreter/reverse_https as the payload and seems to provide a more stable meterpreter connection then the powersploit vector. If anyone wants I can post a tutorial in how to use this vector in the How To section.

2015-02-12, 08:59
@thesle3p that would be great! Thank you!

2015-10-01, 05:56
Hi, everyone, any news updated?? As I tried to apply this method, but there is no any payload option for windows when using exploits/multi/script/web_delivery.

Is there anyone having the same issues just like me???

2015-10-02, 07:34
Okay, I am stupid, I just noticed that I need to first set the target to 2 which is for PSH, now I can use windows payload....

2016-06-18, 18:11
Yeah, further testing revealed it works extremely well with exploits/multi/script/web_delivery with what ever windows payload you throw at it, sorry it took so long to return to this.

2016-11-28, 04:56
What a great idea, it will help a lot for me, thank you very much