LetMeHID! Red Teaming with P4wnP1 A.L.O.A.

Hi! Today I’m publishing a little tool I created some months ago. In these days I’m publishing a lot of things but obviously I’m not coding all day and night! 😀 As many of you, I’ve been stuck at home for almost two months and I’m using this time to review and publish all those projects that I did in the past, but that I never found the time to finish.

LetMeHID is a python tool that generates payload for the great [P4wnP1 A.L.O.A.](https://github.com/RoganDawes/P4wnP1_aloa), created by Marcus Mengs (MaMe82). The tool generates payloads can be executed on target Windows system in order to try to obtain a bind or reverse access using Metasploit Meterpreter.

The Meterpreter Stager that is executed by LetMeHID is letmein.ps1, a pure PowerShell Stager coded by my coworker Marco Ivaldi that is perfect for the purpose. The stager on his own had a very low detection rate but has been further compressed and modified to be more stealth. Bind and reverse shell payloads are in external files and can be easily replaced with ones with custom obfuscation (pay attention to the maximum number of characters that you can paste in a shell if you want to use the “direct” mode of operation).

As a bonus, this tool could be quite useful also if you are not interested in HID devices. During a penetration test if you have a command execution or a shell access, you can copy and paste commands generated by LetMeHID to easy obtain a bind/reverse Meterpreter shell! 😉

LetMeHID generates the following types of payloads:

  • direct: the payload is typed directly by the keyboard (longer but does not requires anything to work)
  • downloadAndExecute: the payload is downloaded from the attacker machine (proxy and proxy credentials supported) directly into the memory (without downloading to the file-system) and executed from memory (faster but require a HTTP connection from the target)
  • executeFromSd: the payload is executed from the external memory or external CD-rom emulated from the Raspberry PI0 (faster but instlls an external memory or external CD-rom to target, that can be suspicious/detected…)

Some juicy features has been added to LetMeHID in order to increase the success of the attack or to fake a real process:

  • Payloads support also PowerShell 2.0
  • Payloads use “-windowstyle hidden” option of PowerShell that put the PowerShell window in background
  • “fakeLegitProcess” option executes a custom command after the payload, in order to simulate a legit process like and AntiVirus update that spawns terminals. With this option, the default command opens the Windows Update page of the Control Panel (but can be changed)
  • Admin mode tries to open a PowerShell terminal with administrative privileges (there is a delay of 5 seconds because the UAT popup can require more time to show up)
  • “disableDefender” and “disableFirewall” options try to disable Windows Defender and Windows Firewall (admin mode only)

More information and obviously the tool could be found in the following GitHub repository:

Cheers!